So as I was aiming for bed when I just receive an email allegedly from Amazon with regards to my supposedly Amazon Prime billing information.
The email says “Prime Account” but came from:
Yeah sure! I could have stopped there but was just curious to see a bit more and ended up doing a complete analysis. I wanted to share this on my blog as a late night challenge, so here we go.
The email came with an attachment named: Membership_Issue_55267.pdf. The email headers (file -> properties in Outlook if you forgot) gave me some info. The sender domain has no SPF and therefore Outlook was not able to verify the legitimacy of the sender IP. Interesting as it was indeed sent from smtp-relay.gmail.com.
Finally, one funny note before diving into the payload is that the email came first to my inbox but after some time, it went to the Junk folder. Not entirely sure how Outlook/O365 works but it is fair to say that to avoid email being delayed, it is delivered first before being moved later on into my Junk folder based on sandbox/reputation results (?).
Ok let’s see what this pdf does. But first let’s briefly see what a pdf really is.
PDF, Portable Document Format is file format composed of 4 main parts:
- A header
- A body containing objects
- A cross-reference table
- A footer
The body is usually where it gets interesting, indeed it can contain different types of object such as integer, string, array, stream and others. It is well explained here: https://en.wikipedia.org/wiki/PDF
To start an analysis it’s always a good idea to get an overview of what we are looking at. An excellent tool for that purpose is pdfid from Didier Stevens: https://blog.didierstevens.com/programs/pdf-tools/
Here, we can see some stream objects objstm and an form acroform, the latter is interesting as it might be used for malicious purpose. I couldn’t find anything relevant for this one but this blog has some good examples: https://furoner.wordpress.com/2017/11/15/checking-for-maliciousness-in-acroform-objects-on-pdf-files/
Now, there are still the objstm objects to analyze and we know they can contain other objects (except another objstm #InfiniteLoop) so it’s always a good idea to search into the content of those objstm to grab more info. In order to do so, we can use another tool from Didier Stevens called pdf-parser: https://blog.didierstevens.com/programs/pdf-tools/
Using this tool, we can display the content of those stream objects and start searching into its content. To be “quick and dirty”, we can grep for some js or link keywords.
pdf-parser -s objstm Membership_Issue_55267.pdf -f | grep -E "/URI|/JS"
And that works, we found a suspicious link! But here is a better way of analyzing stream object by using the following command that forces pdf-parser to, well, parse the contained objects. By scrolling the output (or grepping) we can spot the object of interest, in our case object 42:
pdf-parser -O Membership_Issue_55267.pdf -o 42
So let’s remember that anytime we encounter stream objects we can use option “-O” to request pdf-parser to parse those objects as well.
Another trick proposed by Didier Stevens is to “pipe” the output of pdf-parser into pdfid to get a more detailed overview of the file objects. Another efficient way of getting a proper view of all objects is to use the same objstm parsing option “-O” and let pdf-parser perform some stats on it with the flag “-a”. This way we can see an /Action as well as /URI for object 42. This would have been done through the following command:
pdf-parser -a -O Membership_Issue_55267.pdf
Ok now that we got what we need, let’s move on but first, just because we’re curious, here is a screenshot of the pdf file. It looks pretty legit and the mouse over the “Manage Account” button will of course reveal you the Google Docs link we just found.
To display the rendered PDF, we can of course use a sandbox or a dedicated analysis machine because we don’t want to open malicious files directly on our machine. But there is another elegant way to render PDF into an image to get a glimpse of its content. For that, we can use a small python module called pdf2image.
from pdf2image import convert_from_path, convert_from_bytes from pdf2image.exceptions import (PDFInfoNotInstalledError, PDFPageCountError, PDFSyntaxError) images = convert_from_bytes(open('/your/path/to/the/file.pdf', 'rb').read()) for page in images: page.save('out.JPG', 'JPEG')
Make sure you have poppler-utils installed (PDF rendering library) and you should get a JPEG of the pdf pages. Also, it is interesting to point out that some SOAR solutions have built-in integration that can do the same, like rasterize in Palo Alto Networks XSOAR: https://xsoar.pan.dev/docs/reference/integrations/rasterize
The “GIF trick” in Google Docs
Let’s move on into the link analysis. As we saw, it is a Google Docs link. It is interesting to note the usage of Google Drawings.
Again, we could use something like rasterize but it usually means giving our IP to an attacker’s controlled infrastructure, so careful with this kind of technique. Sometimes it’s just better to use online service such as url2png to get a render of the web page. urlscan.io has the same feature. By doing so, we can see that we would have landed on an Amazon Prime landing page with a captcha at the following link as shown on the image below:
Now, this is interesting because this page is actually a GIF and is therefore animated, showing the user an animation of the captcha completion (without any prior click). Once the animation is finished the user can see the captcha validated and “only” has to click on the “Continue” button. The /preview in the URL will remove the Google Docs UI and render the drawing in full screen mode. As you can see below it is easy to add a GIF and a button with a link (VX ;)).
Once the user clicks there is a first redirection to a compromise website to finally land on the following Amazon login page at this link:
Once entering email and password, we get an Amazon warning asking us to validate our billing and payment information. By clicking “Continue”, we land on the billing information form.
Once again, we enter our (fake) information, we click “Next Step” and before getting to the credit card information form, we got a nice warning from Google Safe Browsing, which knows the domain for hosting phishing. Great! Even though my credentials and address info are gone already…
Of course, we safely ignore the warning to land on the credit card information form.
Now, I wasn’t able to get a successful web page after this form, because it is either verifying the credit card information or either because there is no “Next Step” as the credit card info have already been sent and collected by the fraudster. The latter seems the most plausible.
One thing I can tell is that there is a check on the credit card number and CVV/CSC code depending on whether it’s an American Express or else as shown in the screenshot below. In this case, the embedded script is checking Amex for 15 characters card number and 4 characters code respectively 16 and 3 for others.
And that’s it!
Nothing too fancy, just a nice simple phishing with a short deep dive on PDF files and a funny GIF trick. Here after you can find some CTI mapped with ideas of security controls that could help organizations to protect and detect against these types of phishing.
Happy to discuss it over Twitter @Sam0x90
TTPs & Security Controls
|TA0001 Initial Access||T1566.001 Phishing: Spearphishing Attachment||PDF attachment with embedded Google Doc link||– Google Safe Browsing|
– NGFW URL Filtering / UTM
– Proxy Filtering
– Security Awareness
– Mail GW antispam/sandbox
|– Proxy logs / NIDS|
– User report to SOC
– Mail GW logs
|URL||PDF Phishing link||hXXps://docs.google.com/drawings/d/17Eh0MtgoXW_dvPDVcLkulAEPyJnVxrdvIctSJDKMnWU/preview|
|URL||Phishing Landing page||hXXp://pageclient-userdesk0054.duckdns.org/cdOb26df2c5fec87357808a58bd828d6/55ba8dt74778Ubf6b6a17a804675635.aspx|
Didier Stevens youtube channel: https://www.youtube.com/@dist67/videos
Sandbox Triage for the Google Docs link: https://tria.ge/221211-yj6a3sca2x/behavioral1