Skip to content

Latest commit

 

History

History
75 lines (38 loc) · 5.05 KB

0x9 - PDF Captcha Lure.md

File metadata and controls

75 lines (38 loc) · 5.05 KB

  • This specimen comes in the form of a .pdf file with an embedded image that mimics a Captcha prompt.

Pasted image 20240704233908

  • After opening the .pdf in a sandbox environment, we can proceed to extract a list of objects using pdfid.

Pasted image 20240704234138

  • Additionally, we can get a more granular overview of the embedded objects with pdf-parser.

Pasted image 20240704234233

  • Note the presence of multiple URI objects as well as one XObject. In PDFs, XObjects are typically images, forms, or postscript objects. In this case, we can assume at this point that the XObject we found is the fake Captcha image that we found in the sandbox earlier.

  • If we use pdf-parser.py with the -s switch, we can take a closer look at a specific object. Let's start by investigating the URI objects.

Pasted image 20240704234506

  • Immediately, we see a Russian (.ru) domain in object #10.

  • If we extract more URI objects, we find that they are harmless AWS and CDN links, etc.

Pasted image 20240704234612

  • With pdf-parser.py, the -k switch allows us to extract specifically clickable URI objects. This gives us a different output.

Pasted image 20240704234705

  • If we take a closer look at the image object (object #6), we can see that it is indeed an image with width and height specifications, a designated ColorSpace, etc.

Pasted image 20240704234821

  • We can use the -d switch to extract that image and save it to disk. Next, we can simply view it with the system's native image viewer.

Pasted image 20240704234930

  • The image we extracted is indeed the fake Captcha prompt that we saw earlier.

Pasted image 20240704234947

  • The image we extracted is indeed the fake Captcha prompt that we saw earlier.

Pasted image 20240704234947

  • Next, we can use the -r switch to determine which objects reference the fake captcha image object.

Pasted image 20240704235045

  • We can see at the top left that object #13 references it. Digging deeper and following the chain of object references, we end up identifying Object 14 as an Annotations object. In .pdf files, annotations are interactive elements that can be added within a PDF document to provide additional functionalities - for example, clickable URLs.

Pasted image 20240704235239

  • We extract object #10 to confirm that it is indeed the clickable Russian URL.

Pasted image 20240704235428

  • Let's open Wireshark and start a packet capture, and then detonate the clickable URI in a sandbox.

  • Ironically, we get a security warning from Microsoft Edge.

Pasted image 20240704235639

  • But we proceed to the web page regardless.

Pasted image 20240704235651

  • And finally, we are met with the default INetSim landing page.

Pasted image 20240704235715

  • This doesn't really tell the whole story. So instead, if we connect our test machine to the internet and run more comprehensive tools to inspect the HTTP traffic, we actually see multiple redirects until it reaches its target and attempts to download a PE file named hcv_client-13874.exe.

Pasted image 20240705000242