Attackers spreading this weaponized PDF intended to exploit the Chrome zero-day vulnerability to track the users and collect some user’s information when they open this malicious PDF in chrome browser.
Initially, this sample detected by the EdgeSpot and its act as a legitimate PDF with no malicious activities when it opened popular Adobe
But the same sample open via Chrome browser locally then it immediate establish the suspicious outbound traffic and also the engine detected as s “POTENTIAL ZERO-DAY ATTACK (Google Chrome), PERSONAL INFORMATION LEAKAGE.
According to Edgespot research, HTTP packet, following information of the user may be collected by the malicious sender:
- The public IP address of the user.
- OS, Chrome version etc (in HTTP POST header).
- The full path of the PDF file on user’s computer (in HTTP POST payload).
Interms of special artifacts, this sample malicious PDF affects Google Chrome (as local PDF viewer), not Adobe Reader.
This serious flaw reported to Google on December, 2018 and the Google responded that the patch will be released on April security update.
In this case, users suggested using alternative PDF reader application for viewing received PDF documents locally until Chrome fixes the issue, or disconnect a computer from the Internet when open PDF documents in Chrome.