|
Reader Wayne Smith submitted a PDF file attached to a malicious email. As happens often now, the PDF does not contain malicious code, just a malicious link. This URL can be detected and extracted with pdfid and pdf-parser:
No surprise with the .doc file, oledump reveals it contains macros:
If you pay a bit of attention, finding and decoding the URL is not too difficult:
Just substituting a couple of strings, and we have the URL:
The downloaded file is an executable (PE file), with a valid AuthentiCode signature:
The signature has also a timestamping countersignature, this allows us to pinpoint the signing of this document in time. The certificate was created about a week before this executable was signed. About 75 minutes after this executable was signed, it was already submitted to VirusTotal.
Stream 4 (1Table) contains the signature:
If this malicious document would be delivered to such an organization, there would be no warning about macros when the document is opened. But the VBA code would still not execute automatically upon opening: because the malicious document originates from the Internet, it is not trusted and has a "mark-of-the-web". Therefore, Word will open this document in Protected View, disabling all active content.
Didier Stevens |
DidierStevens 650 Posts ISC Handler Feb 9th 2018 |
| Thread locked Subscribe |
Feb 9th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
