Last active
September 1, 2021 21:16
-
-
Save teixeira0xfffff/6ccbdbef95da08dcf2e213b99e4b9533 to your computer and use it in GitHub Desktop.
Analyzing Malicious Documents (PDF file)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Name: SCAN_0502_FA2C8.pdf | |
MD5 dfc20138456eb478673e046754536c76 | |
SHA-1 bbc5dbdf9bbf844854dc52f47b03b88ebac5bc17 | |
SHA-256 a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9 | |
Vhash 913a9ca88f467c85a8c6e005b9321caa5 | |
SSDEEP 384:fC3s7nDeeTykyBmtnbFOB444uBAzLzobLTbL4wu:fC3sO+AAxOBhfAzAbPb8wu | |
File type PDF | |
Magic PDF document, version 1.4 | |
File size 16.93 KB (17337 bytes) | |
https://www.virustotal.com/gui/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/details | |
Extract file from 7zip and se they format:
win32k:~# 7z x SCAN_0502_4CC4E.7z
Scanning the drive for archives:
1 file, 2064 bytes (3 KiB)
Extracting archive: SCAN_0502_4CC4E.7z
Path = SCAN_0502_4CC4E.7z
Type = 7z
Physical Size = 2064
Headers Size = 146
Method = LZMA2:6k
Solid = -
Blocks = 1
Everything is Ok
Size: 4965
Compressed: 2064
win32k:~#
file SCAN_0502_4CC4E.vbs
SCAN_0502_4CC4E.vbs: ASCII text, with CRLF line terminators
Tools used:
- exiftool
- binwalk
- egrep
- wget
- olevba3
- colout
- cat
VT files:
https://www.virustotal.com/#/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/detection
https://www.virustotal.com/#/file/4d94eaace3a28423dcd407ed0db253ee97a8285ef0ebb8350daebb347182b631/detection
Malware-Traffic-Analysis.net related:
How i can download this file for checking it?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use binwalk and wget to download related "URI" exposed on exiftools command:
| | | | | 1) URI = (hxxp://witsemehat.net/info/SCAN_0502_4CC4E.7z)
win32k:~#
binwalk SCAN_0502_FA2C8.pdf | colout 'XO.*'win32k:~#
wget hxxp://witsemehat.net/info/SCAN_0502_4CC4E.7z