Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-04-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing PDFs with multiple links - Detection

Published: 2018-04-02
Last Updated: 2018-04-02 21:59:16 UTC
by Didier Stevens (Version: 1)
1 comment(s)

One advantage of static analysis over dynamic analysis, is that it can reveal more information than dynamic analysis. In the last analysis example of a phishing PDF, we uncovered more URLs via static analysis.

I did analyze this sample further, and discovered that there have been several similar phishing PDFs in the last months. What this actor does, is producing these phishing PDFs from the same Word document, only changing 2 URLS, and not noticing that there are actually 5 URLs.

Here is the metadata:

Since the actor is using the same tools to create these phishing PDFs,and is leaving 3 of the URLs unchanged, it becomes simple to detect. For example, here is a simple YARA rule to detect these phishing PDFs (I did defang the URL):

rule PDF_PHISHING {
    strings:
        $a = "%PDF-1.5"
        $b = "Word 2016"
        $c = "hxxp://www.giuseppemarzulli[.]it/"
    condition:
        @a == 0 and $b and $c
}

 

A deep analysis of malware with static and dynamic analysis can help reveal actionable IOCs.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc pdf phishing
1 comment(s)
ISC Stormcast For Monday, April 2nd 2018 https://isc.sans.edu/podcastdetail.html?id=5935
Diary Archives