Analysis of suspicious pdf:
SWIFT CONFIRMATION.pdf – this pdf file is looks to be suspicious. It came for analysis, we started to look in to the code.
hxxp://bit.ly/2bPBbCF
hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1
All these properties claims the
file is suspicious. Let’s dive more into the code level:
We checked for compiler information, and it says Microsoft Visual Basic 5.0 / 6.0.
Compiler: Microsoft Visual Basic 5.0 / 6.0 . The file is packed one.
SWIFT CONFIRMATION.pdf – this pdf file is looks to be suspicious. It came for analysis, we started to look in to the code.
MD5: 524BAE85DB8BA5E6B161BC52D5B34113
(I searched this MD5 in Virustotal, which is uploaded to VT
just 7 hours back, when I am writing this post.
Clean result. Zero detection)
This pdf sample connects to the following url:
hxxp://tinyurl.com/jy69pnwhxxp://bit.ly/2bPBbCF
hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1
All these urls are suspicious.
Execution of the pdf:
I executed the pdf file and attached the screenshot below:
They masked the content and ask us to view adobe online.
Again this follows to the dropbox link and leads to download the file named as
swift confirmation.scr.
(View on Adobe is linking to dropbox url)
Conversion of shorten url to long url:
hxxp://tinyurl.com/jy69pnw
- hxxp://www.childrenshomeinternational.org/https/PDF/cancel.htm
(Searched that in google, it goes to virustotal results- https://www.virustotal.com/en/url/10298ea7f52ad85cc4e2fe5ac36d8fcae679c1e4d9a9c23b18f845e54f977614/analysis/ - Flagged as malicious site)
hxxp://bit.ly/2bPBbCF - hxxp://www.pdfupdatersacrobat.top/website/indexy.html
(Found it in virustotal, https://www.virustotal.com/en/url/6013877f28fd44f110a5005b6e72f4f286ff8c75daaae16337b734e79a4a5e50/analysis/1472660702/ - Flagged as malicious site)
Finally we got dropbox link:
hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1
Downloaded the swift
confirmation.scr file by accessing that dropbox link in controlled environment
at different network.
Executable file and which is not
regular scr files. Pretty suspicious.
Version info:
Looks it contain digital
signatures, and version info says the file goes belongs to Samsung Electronics
co. ltd.
Digital signature is not matching,
just check the below snapshot:We checked for compiler information, and it says Microsoft Visual Basic 5.0 / 6.0.
Compiler: Microsoft Visual Basic 5.0 / 6.0 . The file is packed one.
No comments:
Post a Comment