Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Password protected PDF attachment


  • Please log in to reply
8 replies to this topic

#1 slym

slym

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 12 December 2016 - 11:38 AM

One of my users opened an attachment that was sent from someone she knows, but has confirmed the email account was compromised.  The attachment was called Seminar Invitation.pdf, and was password protected.

 

AV scans of the file show no threats, and virustotal.com doesn't come up with anything either.

 

What are the chances of this being a virus?  I've been googling it and haven't found much info on viruses being spread via password protected PDF files. 

 

Thanks,

Sue



BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:04:17 AM

Posted 12 December 2016 - 01:26 PM

If the PDF was passworded, how was that PDF opened?  Or, do you mean only the email was opened and the PDF was merely downloaded and still sits there on the hard-drive?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 12 December 2016 - 01:32 PM

Can you share the link to the VirusTotal analysis? I'll take a look.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 slym

slym
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 12 December 2016 - 08:42 PM

If the PDF was passworded, how was that PDF opened?  Or, do you mean only the email was opened and the PDF was merely downloaded and still sits there on the hard-drive?


I didn't see her "open" it, so I'm assuming that she just tried to open it. She told that she couldn't open it because she didn't know the password.

I plan on copying it to a computer that's off the network, that I can wipe later if needed, just to see what happens when you open it. Just didn't have time to get that done today.

#5 slym

slym
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 12 December 2016 - 09:13 PM

Can you share the link to the VirusTotal analysis? I'll take a look.


I forgot to log into VirusTotal when I uploaded, so I'll have to get back to you tomorrow. The file is at work, and I'm at home now. Will post back tomorrow.

#6 slym

slym
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 13 December 2016 - 11:14 AM

Can you share the link to the VirusTotal analysis? I'll take a look.

Here's the VirusTotal link:

 

https://www.virustotal.com/en/file/e6b0361bbf0d0008462782a3519b8c5d2bd7afda355668cd910aaaed2a17282c/analysis/1481644880/



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 13 December 2016 - 11:55 AM

The PDF is not encrypted and it does not contain malicious code. But it is a phishing PDF.

 

This is how the PDF looks:

 

20161213_174821.png

When you click on the button and accept the warning (in Adobe Reader), your browser is launched to visit a Brazilian website, which displays this:

 

20161213_175330.png

This is a phishing website, designed to steal Adobe credentials.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 slym

slym
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 13 December 2016 - 08:38 PM

Ah, thank you. I still hadn't had a chance to open it up. I'll have to ask her why she told me it was password protected. But it's good to know she didn't get a virus from this. I guess I also need to ask her if she entered any credentials into those boxes.

Edited by slym, 13 December 2016 - 08:39 PM.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 14 December 2016 - 02:03 PM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users