Analyzing Malicious Documents (PDF file)

gistfile1.txt

Name: SCAN_0502_FA2C8.pdf
MD5	dfc20138456eb478673e046754536c76
SHA-1	bbc5dbdf9bbf844854dc52f47b03b88ebac5bc17
SHA-256	a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9
Vhash	913a9ca88f467c85a8c6e005b9321caa5
SSDEEP	384:fC3s7nDeeTykyBmtnbFOB444uBAzLzobLTbL4wu:fC3sO+AAxOBhfAzAbPb8wu
File type	PDF
Magic	PDF document, version 1.4
File size	16.93 KB (17337 bytes)
https://www.virustotal.com/gui/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/details

Use exiftool and extract more info about this pdf file:

win32k:~# exiftool -a -v -ee -uU -g2 SCAN_0502_FA2C8.pdf

ExifToolVersion = 11.16
FileName = SCAN_0502_FA2C8.pdf
Directory = .
FileSize = 17337
FileModifyDate = 1577961660
FileAccessDate = 1577961668
FileInodeChangeDate = 1577961666
FilePermissions = 33188
FileType = PDF
FileTypeExtension = PDF
MIMEType = application/pdf
PDFVersion = 1.4
Linearized = false
PDF dictionary (1 of 1) with 4 entries:
0) Size = 12

1. Root (SubDirectory) -->

• [Root directory with 2 entries]
  | 0) Type = /Catalog
  | 1) Pages (SubDirectory) -->
  | + [Pages directory with 3 entries]
  | | 0) Type = /Pages
  | | 1) PageCount = 2
  | | 2) Kids (SubDirectory) -->
  | | + [Kids directory with 6 entries]
  | | | 0) Type = /Page
  | | | 1) MediaBox = [0,0,612,792]
  | | | 2) Resources (SubDirectory) -->
  | | | + [Resources directory with 1 entries]
  | | | | 0) XObject (SubDirectory) -->
  | | | | + [XObject directory with 2 entries]
  | | | | | 0) img0 (SubDirectory) -->
  | | | | | + [img0 directory with 8 entries]
  | | | | | | 0) Type = /XObject
  | | | | | | 1) Subtype = /Image
  | | | | | | 2) Width = 480
  | | | | | | 3) Height = 128
  | | | | | | 4) Length = 82
  | | | | | | 5) ColorSpace = /DeviceGray
  | | | | | | 6) BitsPerComponent = 8
  | | | | | | 7) Filter = /FlateDecode
  | | | | | 1) img1 (SubDirectory) -->
  | | | | | + [img1 directory with 9 entries]
  | | | | | | 0) Type = /XObject
  | | | | | | 1) Subtype = /Image
  | | | | | | 2) Width = 480
  | | | | | | 3) Height = 128
  | | | | | | 4) SMask = ref(1 0 R)
  | | | | | | 5) Length = 14926
  | | | | | | 6) ColorSpace = [/CalRGB,HASH(0x5570afe93a38)]
  | | | | | | 7) BitsPerComponent = 8
  | | | | | | 8) Filter = /FlateDecode
  | | | 3) Annots (SubDirectory) -->
  | | | + [Annots directory with 5 entries]
  | | | | 0) Subtype = /Link
  | | | | 1) Rect = [212.25,732,399.75,782]
  | | | | 2) A (SubDirectory) -->
  | | | | + [A directory with 2 entries]
  | | | | | 0) S = /URI
  | | | | | 1) URI = (http://witsemehat.net/info/SCAN_0502_4CC4E.7z)
  | | | | 3) Border = [0,0,0]
  | | | | 4) C = [0,0,1]
  | | | 4) Contents (SubDirectory) -->
  | | | + [Contents directory with 2 entries]
  | | | | 0) Length = 88
  | | | | 1) Filter = /FlateDecode
  | | | 5) Parent = ref(5 0 R)
  | | + [Kids directory with 5 entries]
  | | | 0) Type = /Page
  | | | 1) MediaBox = [0,0,612,792]
  | | | 2) Resources (SubDirectory) -->
  | | | + [Resources directory with 1 entries]
  | | | | 0) Font (SubDirectory) -->
  | | | | + [Font directory with 1 entries]
  | | | | | 0) F1 (SubDirectory) -->
  | | | | | + [F1 directory with 4 entries]
  | | | | | | 0) Type = /Font
  | | | | | | 1) Subtype = /Type1
  | | | | | | 2) BaseFont = /Helvetica
  | | | | | | 3) Encoding = /WinAnsiEncoding
  | | | 3) Contents (SubDirectory) -->
  | | | + [Contents directory with 2 entries]
  | | | | 0) Length = 480
  | | | | 1) Filter = /FlateDecode
  | | | 4) Parent = ref(5 0 R)

2. Info (SubDirectory) -->

• [Info directory with 3 entries]
  | 0) Producer = (iTextSharp. 5.5.10 .2000-2016 iText Group NV (AGPL-version))
  | 1) CreateDate = (D:20180205143538+03'00')
  | 2) ModifyDate = (D:20180205143538+03'00')

3. ID = [<4409d6d18dd3bcb48b3f0592a11a5082>,<4409d6d18dd3bcb48b3f0592a11a5082>]

Use binwalk and wget to download related "URI" exposed on exiftools command:

| | | | | 1) URI = (hxxp://witsemehat.net/info/SCAN_0502_4CC4E.7z)

win32k:~# binwalk SCAN_0502_FA2C8.pdf | colout 'XO.*'
win32k:~# wget hxxp://witsemehat.net/info/SCAN_0502_4CC4E.7z

Extract file from 7zip and se they format:

win32k:~# 7z x SCAN_0502_4CC4E.7z

Scanning the drive for archives:
1 file, 2064 bytes (3 KiB)

Extracting archive: SCAN_0502_4CC4E.7z

Path = SCAN_0502_4CC4E.7z
Type = 7z
Physical Size = 2064
Headers Size = 146
Method = LZMA2:6k
Solid = -
Blocks = 1

Everything is Ok

Size: 4965
Compressed: 2064

win32k:~# file SCAN_0502_4CC4E.vbs
SCAN_0502_4CC4E.vbs: ASCII text, with CRLF line terminators

Use olevba3 to see more info about this VBS file:

win32k:~# olevba3 -a SCAN_0502_4CC4E.vbs

Use egrep to print related IOC:

win32k:~# cat SCAN_0502_4CC4E.vbs | egrep 'd.exe|Create' -C2

Tools used:

• exiftool
• binwalk
• egrep
• wget
• olevba3
• colout
• cat

VT files:
https://www.virustotal.com/#/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/detection
https://www.virustotal.com/#/file/4d94eaace3a28423dcd407ed0db253ee97a8285ef0ebb8350daebb347182b631/detection

Malware-Traffic-Analysis.net related:

• https://www.malware-traffic-analysis.net/2018/02/05/index.html

How i can download this file for checking it?