Analyzing Phishing attacks that use malicious PDFs

Cybersecurity researchers Zoziel Pinto Freire analyzed the use of weaponized PDFs in phishing attacks

Every day everybody receives many phishing attacks with malicious docs or PDFs. I decided to take a look at one of these files. I did a static analysis and I went straight to the point to make this reading simple and fast.

Here is the received email as it was from the Caixa Economica Federal bank, but we can see the sender uses Gmail services and a strange name.

I verified this e-mail header using MXtoolbox, and we can see the IP used by the sender (attacker).

Below is the reputation of the IP used by the attacker.

We can see this IP has a lot of mentions about malicious activities.

I downloaded this file in my VPS (Kali Linux) and used peepdf to do an analysis of the file structure, and I found 2 URIs in objects 3 and 5.

After I checked objects 3 and 5 using pdf-parser, I discovered a malicious URL in the 3.

I did a check about this URL in VirusTotal and it had a malicious reputation.

When I opened the file in the Kali, we could see it had an original logo of the bank and a button to click that will direct me to an URL.

When I clicked in this button the URL hxxp://cefonlineencaminha[.]z13[.[]web[.]core[.]windows[.]net redirect to another URL ms[.]meuappavisos[.]com

I checked the URL reputation, and it has a lot of mentions about it.

In conclusion, it’s essential to take care and attention to each detail when you open this kind of email because you can put your machine in a dangerous situation, have your data exfiltrated, be hacked and etc.

Tools used during the analysis:

Kali Linux – https://www.kali.org/get-kali/
MX ToolBox – https://mxtoolbox.com
pdf-parser – https://blog.didierstevens.com/programs/pdf-tools/
peepdf – https://github.com/jesparza/peepdf
Abuse IPdb – https://www.abuseipdb.com
Virus Total – https://www.virustotal.com/

About the author: Zoziel Pinto Freire

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.