Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Phishing PDFs with multiple links - Detection - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing PDFs with multiple links - Detection

One advantage of static analysis over dynamic analysis, is that it can reveal more information than dynamic analysis. In the last analysis example of a phishing PDF, we uncovered more URLs via static analysis.

I did analyze this sample further, and discovered that there have been several similar phishing PDFs in the last months. What this actor does, is producing these phishing PDFs from the same Word document, only changing 2 URLS, and not noticing that there are actually 5 URLs.

Here is the metadata:

Since the actor is using the same tools to create these phishing PDFs,and is leaving 3 of the URLs unchanged, it becomes simple to detect. For example, here is a simple YARA rule to detect these phishing PDFs (I did defang the URL):

rule PDF_PHISHING {
    strings:
        $a = "%PDF-1.5"
        $b = "Word 2016"
        $c = "hxxp://www.giuseppemarzulli[.]it/"
    condition:
        @a == 0 and $b and $c
}

 

A deep analysis of malware with static and dynamic analysis can help reveal actionable IOCs.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

296 Posts
ISC Handler
Thanks for checking out this pdf, I've sometimes seen pdfs with as many as 6 different urls, your explanation that its an error on the creator's tool is my current theory as well.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!