WARNING: Do not open/run the pdf file on your local machine because it is malicious. Use the sandbox to analyze the file.
Scenario: An employee has received a suspicious email. The employee reported this incident and mentioned that they did not download or open the attachment as they found the email very suspicious. They wish for you to analyze it further to verify its legitimacy.
Artifacts:
| From | SystemUpdate@letsdefend.io |
| To | Paul@letsdefend.io |
| Subject | Critical – Annual Systems UPDATE NOW |
| Message | Please do the dutiful before the deadline today. |
| Attachment | Update.pdf |
I used two VMs (REMnux and Windows 10) to complete the analysis and answer all the questions. I used REMnux, so I don’t have to manually install PDF analysis tools. Here’s the link to REMnux’s documentation of all the PDF analysis tools installed.
Analysis Prep:
- Download the malicious PDF from this link. I downloaded the file on both REMnux and Win10 VMs.
- Extract the malicious file and use the password “letsdefend” without quotation marks.
- When analyzing PDF files, I first run pdfid to check for possible suspicious elements in the PDF. Almost all malicious PDFs will have a numeric value in the /OpenAction and /Launch elements, as shown in the image below. Type pdfid.py pdf_filename_here.
- In the prep steps above, we initially identify if there could be potentially malicious elements in the PDF file. Now, we will examine the potentially malicious elements using the tool peepdf. Type peepdf -fli pdf_filename_here.
- -f – sets force parsing mode to ignore errors
- -l – sets loose parsing mode to catch malformed objects
- -i – sets the console in interactive mode
- Open all /OpenAction and /Launch elements by typing object object_number_here in the interactive prompt.
Questions:
- What local directory name would have been targeted by the malware?
- {C:\Documents\}
- In Object 19, there is a base64 encoded command.
- Let’s decode the command using CyberChef, then use the From Base64 operation.
- You’ll notice from the output that the decoded base64 command seems incomprehensible. We have to add another operation called a reverse to make it readable, and you will find the answer to the local directory name.
- In Object 19, there is a base64 encoded command.
- {C:\Documents\}
- What would have been the name of the file created by the payload?
- {d0csz1p}
- The file name that would have been created is in the same decoded base64 command. The percent signs are backslashes.
- The file name that would have been created is in the same decoded base64 command. The percent signs are backslashes.
- {d0csz1p}
- What file type would this have been if it were created?
- {zip}
- This was a guess answer. Since the answer in question #2 has the word “zip,” I thought it would be a .zip file.
- {zip}
- Which external web domain would the malware have attempted to interact with?
- {filebin.net}
- For this question, we must analyze and understand the JavaScript element in Object 33.
- I used the tool pdfstreamdumper on Windows 10 VM for this question.
- Run the PdfStreamDumper.exe and load the malicious pdf file, and click load.
- Pick Object 33 from the list of objects on the left column.
- Because this is JavaScript, we have to pick the JavaScript_UI tab.
- The JavaScript UI window pops up. Then, click run. WARNING: You will see a line in the JavaScript UI window that says, “THIS RUNS SCRIPTS LIVE — NO SANDBOX.” So, please ensure that you are in a safe sandbox environment before hitting RUN.
- The results box will show the answer to the external web domain.
- For this question, we must analyze and understand the JavaScript element in Object 33.
- {filebin.net}
- Which HTTP method would it have used to interact with this service?
- {POST}
- From the same result in the pdfstreamdumper, we can find the HTTP method used.
- From the same result in the pdfstreamdumper, we can find the HTTP method used.
- {POST}
- What is the name of the obfuscation used for the JavaScript payload?
- {eval}
- Looking at the JavaScript from Object 33, we can see the eval function.
- eval() is a global function in JavaScript that evaluates a specified string as JavaScript code and executes it.
- {eval}
- Which tool would have been used for creating the persistence mechanism?
- {wmic}
- Now, we will have to analyze the content of Object 26. We first notice the word “Powershell,” and we also see the PowerShell command Invoke-Expression.
- Invoke-Expression is a PowerShell command that evaluates or runs a specified string as a command. So, we have to be careful not to execute this script so it will not run the encoded script.
- To continue our analysis, we will replace the Invoke-Expression with the Write-Output command so that instead of executing the script, it will only display the result as strings on the terminal.
- Open a PowerShell prompt, paste the script, replace “invoke-expression” with “write-output,” and hit enter.
- You will see wmic command utility at the beginning of each command line
- wmic is a command-line utility that allows users to perform WMI (Windows Management Instrumentation) operations from a command prompt.
- Now, we will have to analyze the content of Object 26. We first notice the word “Powershell,” and we also see the PowerShell command Invoke-Expression.
- {wmic}
- How often would the persistence be executed once Windows starts? (format: X.X hours)
- {2.5 hours}
- When you see some random number within a command line, it is normally indicative of a time in seconds format. We can see a 9000 in the first command line entry. So, 9000/60 = 150 minutes, and 150/60 = 2.5 hours.
- When you see some random number within a command line, it is normally indicative of a time in seconds format. We can see a 9000 in the first command line entry. So, 9000/60 = 150 minutes, and 150/60 = 2.5 hours.
- {2.5 hours}
- Which LOLBin would have been used in the persistence method?
- {Powerpnt.exe}
- In the second command line entry, we see an executable path pointing to powerpnt.exe.
- We can then check this link to verify if powerpnt.exe is on the list of LOLBin.
- LOLBin – stands for Living Off the Land of Binaries, Scripts, and Libraries. This is the Windows equivalent of GTFOBins for the *nix family.
- In the second command line entry, we see an executable path pointing to powerpnt.exe.
- {Powerpnt.exe}
- What filename would have been downloaded and executed using the LOLBin?
- {wallpaper482.scr}
- In the second command line entry, we can find the file name that would have been downloaded and executed.
- In the second command line entry, we can find the file name that would have been downloaded and executed.
- {wallpaper482.scr}
- Where would this have been downloaded from? (format: IP address)
- {60.187.184.54}
- Again, in the second command line entry, we can find the IP address from which the file would have been downloaded.
- Again, in the second command line entry, we can find the IP address from which the file would have been downloaded.
- {60.187.184.54}
- Which country is this IP address located in?
- {China}
- Using the IP address we got from question #11, we will use the whois tool to attribute the said IP address.
- whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with the registrant. Type whois IP_Address_here
- {China}
I hope you guys had fun going through my write-up. Please subscribe if you haven’t done so.
N00b_H@ck3r 
Leave a comment