Analyzing Malicious Documents (PDF file)

gistfile1.txt

Name: SCAN_0502_FA2C8.pdf
MD5	dfc20138456eb478673e046754536c76
SHA-1	bbc5dbdf9bbf844854dc52f47b03b88ebac5bc17
SHA-256	a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9
Vhash	913a9ca88f467c85a8c6e005b9321caa5
SSDEEP	384:fC3s7nDeeTykyBmtnbFOB444uBAzLzobLTbL4wu:fC3sO+AAxOBhfAzAbPb8wu
File type	PDF
Magic	PDF document, version 1.4
File size	16.93 KB (17337 bytes)
https://www.virustotal.com/gui/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/details

Extract file from 7zip and se they format:

win32k:~# 7z x SCAN_0502_4CC4E.7z

Scanning the drive for archives:
1 file, 2064 bytes (3 KiB)

Extracting archive: SCAN_0502_4CC4E.7z

Path = SCAN_0502_4CC4E.7z
Type = 7z
Physical Size = 2064
Headers Size = 146
Method = LZMA2:6k
Solid = -
Blocks = 1

Everything is Ok

Size: 4965
Compressed: 2064

win32k:~# file SCAN_0502_4CC4E.vbs
SCAN_0502_4CC4E.vbs: ASCII text, with CRLF line terminators

Use olevba3 to see more info about this VBS file:

win32k:~# olevba3 -a SCAN_0502_4CC4E.vbs

Use egrep to print related IOC:

win32k:~# cat SCAN_0502_4CC4E.vbs | egrep 'd.exe|Create' -C2

Tools used:

• exiftool
• binwalk
• egrep
• wget
• olevba3
• colout
• cat

VT files:
https://www.virustotal.com/#/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/detection
https://www.virustotal.com/#/file/4d94eaace3a28423dcd407ed0db253ee97a8285ef0ebb8350daebb347182b631/detection

Malware-Traffic-Analysis.net related:

• https://www.malware-traffic-analysis.net/2018/02/05/index.html

How i can download this file for checking it?