Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New PDF


  • Please log in to reply
8 replies to this topic

#1 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:00 AM

Posted 02 May 2016 - 05:36 PM

PDF came in the mail today and because it looked suspicious i did some scans and guess what, i was a nasty little sucker.

https://www.hybrid-analysis.com/sample/afd131514395564a0ff64fc5d5163df708af5275b734db442fc8a5185f1b67cb?environmentId=4

 

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 PM

Posted 03 May 2016 - 12:40 PM

Curious to know what made you believe this was a PDF?

I downloaded the sample, and it's a PE file (POP.exe) inside a ZIP file. It contains icons, but no Adobe icons.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:00 AM

Posted 03 May 2016 - 06:23 PM

Because it was an actual pdf document, i then scanned the URL which contained the zip file which was embedded in the PDF mate.

Actual PDF scan

https://www.hybrid-analysis.com/sample/73e6bd6c8c081df14a9a5c7cdb5fe55fc21529768b3a187bfe8c8e4a96817b1f?environmentId=1


Edited by JohnnyJammer, 03 May 2016 - 06:26 PM.


#4 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:11:00 AM

Posted 04 May 2016 - 12:22 PM

Anytime something other than an image is embedded in a PDF, that's a massive warning flag.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 PM

Posted 05 May 2016 - 06:41 AM

I've seen similar PDFs before. They don't contain malicious code. Just social engineering to click on a link and download malware.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 rp88

rp88

  • Members
  • 2,980 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:00 PM

Posted 07 May 2016 - 08:54 AM

Malicious pdf files can definitely exist, the pdf format contains some features which can trick some pdf reader programs into doing things such as automatically visiting various websites or downloading and running various files. One useful piece of advice is to open pdf files with something like firefox or chrome's inbuilt pdf viewer rather than adobe reader/acrobat. reader.acrobat supports a lot of complex pdf features, some of which can be used maliciously, pdf readers in browsers only support the basic features so are less vulnerable, though not totally invulnerable.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:11:00 AM

Posted 07 May 2016 - 09:02 AM

@rp88 interesting... I already used Firefox's built-in PDF viewer to cut down on bloat on my PC.

I would say though that opening any unknown files in a VM is the way to go.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 PM

Posted 07 May 2016 - 02:07 PM

If you open this PDF in Chrome's build-in PDF reader, and you click the link, then you are immediately directed to the website.

If you open this PDF in Adobe's PDF reader, and you click the link, then you receive a warning, and you need to confirm that you want to be directed to the website.

 

Opening potentially malicious PDFs in Firefox's build-in PDF reader is useful to mitigate exploits, because Firefox's build-in PDF reader is written in JavaScript, and exploits written for readers like Adobe Reader will not work in JavaScript (I don't know if Chrome's build-in PDF reader is written in JavaScript).

 

But Adobe Reader has many protections that Firefox doesn't have.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 pcpunk

pcpunk

  • Members
  • 5,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:00 AM

Posted 07 May 2016 - 11:08 PM

:thumbup2:  :thumbup2: Very good to know Didier!


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users