Apr 1, 2011 07:51 GMT  ·  By

A new malware distribution campaign generates emails posing as Warner Music orders that come with malicious PDF documents attached.

The rogue emails have subjects of the form "Your Order No ###### – Warner Music Inc." or "Your Order No ###### – Cell Phone Inc."

The contained message informs recipients that an order was made in their name and a large sum of money is to be charged on their credit card. It reads:

"Thank you for ordering from Warner Music Inc. This message is to inform you that your order has been received and is currently being processed.

Your order reference is Warner Music Inc. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 629.00 USB and "Warner Music Inc." will appear next to the charge on your statement. Your purchase information appears below in the file."

The files are called Order_N#####.pdf (where # is a digit) and, according to security researchers from M86 Security, they are rigged with an exploit for an older Adobe Reader vulnerability (CVE-2009-0927).

If exploitation is successful, a file called 1.php is downloaded from an external server. Despite its .php extension this is actually an executable. The purpose of the fake extension is to hide the download from network firewalls or intrusion prevention systems.

This executable is responsible for downloading another piece of malware that currently has a very low detection rate on Virus Total and whose purpose is to send spam.

"These days, PDF files arriving in unexpected emails should be treated with extreme suspicion.  And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this," the M86 Security researchers advise.