Cybersecurity researchers Zoziel Pinto Freire analyzed the use of weaponized PDFs in phishing attacks
Every day everybody receives many phishing attacks with malicious docs or PDFs. I decided to take a look at one of these files. I did a static analysis and I went straight to the point to make this reading simple and fast.
Here is the received email as it was from the Caixa Economica Federal bank, but we can see the sender uses Gmail services and a strange name.
verified this e-mail header using MXtoolbox, and we can see the IP used by the sender (attacker).
Below is the reputation of the IP used by the attacker.
We can see this IP has a lot of mentions about malicious activities.
I downloaded this file in my VPS (Kali Linux) and used peepdf to do an analysis of the file structure, and I found 2 URIs in objects 3 and 5.
After I checked objects 3 and 5 using pdf-parser, I discovered a malicious URL in the 3.
Tools used during the analysis:
- Kali Linux – https://www.kali.org/get-kali/
- MX ToolBox – https://mxtoolbox.com
- pdf-parser – https://blog.didierstevens.com/programs/pdf-tools/
- peepdf – https://github.com/jesparza/peepdf
- Abuse IPdb – https://www.abuseipdb.com
- Virus Total – https://www.virustotal.com
Phishing Attacks: Advanced Attack Techniques
