PDF malware analysis


Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0

Download sample link: Here

File type: PDF

VirusTotal score: 27/54

Blg14_300420202_2

 

PDF Document Preview

Blg14_300420202_18

 

PDFiD

I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s.

Blg14_300420202_1

Next step is to extract URL’s from the document. I will use two tools here to perform this, pdf-parser and PDFStreamDumper.

pdf-parser

I am using pdf-parser tool to extract only the list of URL’s from this document. for that I am navigating to the pdf-parser folder and executing command. pdf-parser is python script.

pdf-parser.py -k /URI <.pdf file> 

Blg14_300420202_11

There are these 5 URLs extracted from the pdf document.

(http://www.diamondcreationslb . com/doc/rdd.htm)
(http://ruseuropharm . ru/tobi/index.php)
(http://tcil-bd . com/tin-count/zigi/index.php)
(http://tcil-bd . com/wp-includes/IXR/alen/index.php)
(http://tcil-bd . com/dfp/index.php)

PDFStreamDumper

PDFStreamDumper is very handy tool with GUI. This loads all objects in PDF file and show in Text, Hex format. Opening malicious pdf file in PDFStreamDumper, I can see URL’s under objects. To get all the URL’s I will have to go through all objects from the left panel one by one.

E.g.

Blg14_300420202_12

 

URL Verification

http://www.diamondcreationslb . com/doc/rdd.htm

Report : Phishing

Blg14_300420202_13

 

http://ruseuropharm . ru/tobi/index.php

Report: Phishing

Status: 404

Blg14_300420202_14

 

http://tcil-bd . com/tin-count/zigi/index.php

Report: Phishing

Status: 404

Blg14_300420202_15

 

http://tcil-bd . com/wp-includes/IXR/alen/index.php

Report: Phishing

Status: 404

Blg14_300420202_16

 

http://tcil-bd . com/dfp/index.php

Report: Phishing

Status: 404

Blg14_300420202_17

 

Summary:

  • PDF File has URL’s embedded.
  • All URLs are phishing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.