Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Jumping through the hoops: multi-stage malicious PDF spam

We've recently encountered a number of malicious spam messages with PDFs attached. The PDFs themselves are not malicious as they don't contain executable code, but they do contain images with underlying URI actions. The image, if clicked, will open the browser at the specified URL. What follows is an analysis of one of these samples.

Let's start with the email. We only saw a single instance of this message, which indicates to us that it was a low volume campaign. An analysis of the header trail showed the message originated from a real AOL webmail account.

10304_82b6d391-5af2-465a-bc40-9641c11ff922

 

The message included a PDF attachment, "PAYMENT RECEIPT.pdf," which didn't appear to embed any JavaScript or other malicious content. Opening the PDF reveals a blurred image with the suggestion that the document is secured and must be viewed online.

BSL_11845_cc29587a-6ef4-4e62-b309-e30ec6d5a998

 

Underlying the image is a URI action that opens a browser and loads a URL.

8764_38a9797d-49c3-418e-b1c6-96914b38ae31

The tinyurl redirects to the following web page:

7755_07811cdd-dac2-4e5e-8d70-caab513f350a

Here we were presented with an alert:

BSL_12066_d77e41a2-d065-4aa5-b35e-8c3580e192bf

Once we click OK, we're presented with a fake Adobe ID sign-in page.

8376_266cee44-06f5-446b-bd86-17596875d89f

The form duly accepted some gibberish we entered, which suggests that it's just part of the ruse and not actually harvesting credentials. Anyway, after convincing us we needed to view a secure PDF document online, we were now asked to download a Word Doc file!

BSL_9605_62e8a5a6-3ce8-4132-a8fb-653252fbb6fb

Once we save the document and try to open it...what's that? Another blurred image and instructions to enable content:

11565_bf76eedf-3c42-4d6b-9ade-e05a28ca93f2

 

So, in addition to bad English, the document contains a macro. We must be getting close now. Let's have a look at the macro which we extracted with oledump.py. As we might expect, the code is obfuscated, but with the use of URLDownloadToFileA and ShellExecute we can surmise that this code is downloading a file and executing it.

10605_919c3678-a372-400b-a11b-26cae989f1a4

Essentially, when the document is opened this macro downloads a file to the temp directory and executes it. Line 36 shows a long string to be decrypted with the Decrypt function on line 49. The decrypt function first reverses the string, and then applies a simple -1 letter substitution cipher to the ASCII characters, so f becomes e and y becomes x and so on. This reveals the string:

9073_48cff153-42c0-4967-bcb8-caf5577389e8

Upon downloading that file, we had problems getting the sample to run in the lab. It complained about .Net, and then refused to run even after we installed .Net. However, a static analysis of the binary (MD5: 5bb68067ca34e94b875b3c56e3b31e48) revealed a layered, obfuscated .Net dropper that installs Kazy Rootkit and DarkComet RAT, a well-known Remote Access Trojan.

In summary, this type of email attack, where seemingly innocent PDFs contain clickable images that lead to a chain of other nastiness, appear to be on the increase. This is most likely because PDFs are ubiquitous and offer a way for attackers to bury their URLs to potentially bypass email gateway scanning. In this particular case, the use of an additional Word document was also puzzling, as it could have easily been used as the original email attachment. But, the manager of this campaign may be aware that email gateways are getting good at blocking macro-based Word malware, which has been extremely prevalent over the past year or so. Perhaps too, the attacker wanted to reuse their already-existing Word malware, and opted for advertising the location of the Word document via the link in the PDF. Even if the malware did run properly, we can't imagine this campaign being very successful for the attacker. It's multi-stage and interactive nature requires a tenacious victim indeed, with just the right software and options enabled. Most people would be suspicious well before the Word document stage.

We have protections in place in the Trustwave Secure Email Gateway for this and other similar campaigns that we have seen.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More