Monday, September 21, 2015

Malicious PDF

During one of the incident investigation, we came across a simple PDF, which was only one of the weaponized document out of many, which were part of the attack. The PDF came attached with an email, seemingly belonging to a genuine company with full address and genuine contact numbers.

The email address seem to be definitely compromised for this organization, which is weirdly using free gmail email account. The email was something like this:

---------- Email Start ----------------------

From: "Compromised Email Address"  <abc@gmail.com>
Date: Sep 18, 2015 9:18 PM
Subject: I've shared a file with you.
To:
Cc:
Hello

Please refer to the attached document i shared using Dropbox App. Click on the PDF and download for your reference. Its urgent and highly confidential, kindly do the needful and get back to me

Best regards

Thanks

--
Very Truly Yours




 Name
Managing Director
Company Name
23424 Floor - Flat No: 3242325
P.O Box : 31534324
P.C : 32434132 34234 - Muscat
Sultanate Of Oman
Office Timing:  Morning : 09:00 am - 01:00 pm
                  Evening : 05:30 pm -09:30 pm
 Mobile No:00968 3432423423432443 
 Office No: 24324234424

---------- Email End ----------------------

pdfid was used to parse the pdf for object types within it


pdfwalker was used to walk through the structure in order to identify suspicious streams and one of the URI objects contains a strange address, seemingly to look like dopbox URL but in reality the domain is dzcmarketing.com. 



The domain seem to be registered in Malaysia:



Using strings and grep to identify "http"


Once the pdf is opened it displays something like this with the hyperlink to the discovered malicious domain:




Visiting the page gives the typical credentials stealing page where unsuspecting users are social engineered to enter their social sites or emails credentials. This is probably how the attacker initially stole the Gmail credentials of the company being impersonated.


Clicking on the gmail icon brings up a box to enter the credentials, which seem genuine enough, and that is how the credentials are compromised. I entered something made-up, fake username and password and the malicious domain seem to accept that without validating in the back-end and redirecting to a pdf about "investment strategies".



No comments:

Post a Comment