- This specimen comes in the form of a
.pdf
file with an embedded image that mimics a Captcha prompt.
- After opening the
.pdf
in a sandbox environment, we can proceed to extract a list of objects usingpdfid
.
- Additionally, we can get a more granular overview of the embedded objects with
pdf-parser
.
-
Note the presence of multiple URI objects as well as one XObject. In PDFs, XObjects are typically images, forms, or postscript objects. In this case, we can assume at this point that the XObject we found is the fake Captcha image that we found in the sandbox earlier.
-
If we use
pdf-parser.py
with the-s
switch, we can take a closer look at a specific object. Let's start by investigating the URI objects.
-
Immediately, we see a Russian (
.ru
) domain in object #10. -
If we extract more URI objects, we find that they are harmless AWS and CDN links, etc.
- With
pdf-parser.py
, the-k
switch allows us to extract specifically clickable URI objects. This gives us a different output.
- If we take a closer look at the image object (object #6), we can see that it is indeed an image with width and height specifications, a designated ColorSpace, etc.
- We can use the
-d
switch to extract that image and save it to disk. Next, we can simply view it with the system's native image viewer.
- The image we extracted is indeed the fake Captcha prompt that we saw earlier.
- The image we extracted is indeed the fake Captcha prompt that we saw earlier.
- Next, we can use the
-r
switch to determine which objects reference the fake captcha image object.
- We can see at the top left that object #13 references it. Digging deeper and following the chain of object references, we end up identifying Object 14 as an Annotations object. In
.pdf
files, annotations are interactive elements that can be added within a PDF document to provide additional functionalities - for example, clickable URLs.
- We extract object #10 to confirm that it is indeed the clickable Russian URL.
-
Let's open Wireshark and start a packet capture, and then detonate the clickable URI in a sandbox.
-
Ironically, we get a security warning from Microsoft Edge.
- But we proceed to the web page regardless.
- And finally, we are met with the default INetSim landing page.
- This doesn't really tell the whole story. So instead, if we connect our test machine to the internet and run more comprehensive tools to inspect the HTTP traffic, we actually see multiple redirects until it reaches its target and attempts to download a PE file named
hcv_client-13874.exe
.