Received a mail about Remittance Detail from Forsythe Technology Canada Inc. claiming to be from paymentremittanceinformation[at]wellsfargo.com. First off, I'm not expecting any remittance.
At this point, I'm obviously concern that someone has targeted me, with the hope of the following:
1. This mail bypasses any filter which maybe in place
2. That I opened the PDF.
I guess 50% pass park is not bad. It did pass the filter. However, it was not convincing enough for me to open the PDF.
Taking a look first at the headers and extracting what I find important, we see:
Authentication-Results: spf=fail (sender IP is 205.139.110.120) smtp.mailfrom=wellsfargo.com; siriuscom.com; dkim=fail (body hash did not verify) header.d=wellsfargo.com;siriuscom.com; dmarc=fail action=oreject header.from=wellsfargo.com;compauth=none reason=451 Received-SPF: Fail (protection.outlook.com: domain of wellsfargo.com does not designate 205.139.110.120 as permitted sender) receiver=protection.outlook.com; client-ip=205.139.110.120; helo=us-smtp-1.mimecast.com;
I noticed the mail seems to have originated in outlook[.]com domain and have hit a number of servers within that domain. More importantly, it seems there are lots of failures as it relates to Sender Policy Framework (SPF).
Checking the file hash in VirusTotal, Google, Bing and Duck Duck Go, all returned 0 results at the time of my search.
C:\Users\SecurityNik>certutil -hashfile c:\tmp\trk971234427.pdf MD5 MD5 hash of c:\tmp\trk971234427.pdf: 6dbd1780250f64939227b82bfa4e5382 CertUtil: -hashfile command completed successfully.
Digging deeper, to learn about the PDF. Taking a peak in with PDFId.
C:\Users\SecurityNik>pdfid c:\tmp\trk971234427.pdf PDFiD 0.2.7 c:\tmp\trk971234427.pdf PDF Header: %PDF-1.4 obj 9 endobj 9 stream 3 endstream 3 xref 1 trailer 1 startxref 1 /Page 1 /Encrypt 0 /ObjStm 0 /JS 0 /JavaScript 0 /AA 0 /OpenAction 0 /AcroForm 0 /JBIG2Decode 0 /RichMedia 0 /Launch 0 /EmbeddedFile 0 /XFA 0 /URI 0 /Colors > 2^24 0
It is said that most malicious PDF documents, only have 1 page. We see above 1 page. That in itself is not suspicious. What do we have in the three streams.
C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 1,3,5 obj 1 0 Type: /XObject Referencing: Contains stream << /ColorSpace /DeviceRGB /Subtype /Image /Height 42 /Filter /DCTDecode /Type /XObject /Width 230 /BitsPerComponent 8 /Length 6170 >> obj 5 0 Type: Referencing: Contains stream << /Filter /FlateDecode /Length 1282 >> obj 3 0 Type: /XObject Referencing: 2 0 R Contains stream << /Subtype /Form /Filter /FlateDecode /Type /XObject /Matrix [1 0 0 1 0 0] /FormType 1 /Resources << /ProcSet [/PDF /Text /ImageB /ImageC /ImageI] /Font << /F1 2 0 R >> >> /BBox [0 0 36 10.35] /Length 55 >>
Looking at obj 1 0 we see information which suggests an image. Information such as ColorSpace, Height 42, Width 230. We also see this seems to be of size 6170 bytes.
Attempting to extracting this content from obj 1 0, we see the filter DCTDecode is not supported
C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 1 --filter obj 1 0 Type: /XObject Referencing: Contains stream << /ColorSpace /DeviceRGB /Subtype /Image /Height 42 /Filter /DCTDecode /Type /XObject /Width 230 /BitsPerComponent 8 /Length 6170 >> "Unsupported filter: ['/DCTDecode']"
Taking advantage of PDFStreamDumper and looking at the HexDump of stream 1, we see a snapshot below of the first few bytes, suggesting this is a PDF file.
I then saved those bytes to a file named pdf-obj-1.jpg.
C:\Users\SecurityNik>dir c:\tmp\pdf-obj-1.jpg Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of c:\tmp 12/22/2020 01:28 PM 6,170 pdf-obj-1.jpg 1 File(s) 6,170 bytes 0 Dir(s) 37,737,611,264 bytes free
You might also notice that the file size matches the results which was returned in the length of obj 1 0.
I then ran the Image SHA1 hash through VirusTotal and got no hits. Next stop, load up ProcessHacker before opening the image, to see if it creates any processes. The Image turned out to be the company logo.
Let's now look at obj 5 0. redirecting it's output to a file named pdf-obj-5.txt.
C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 5 --filter --dump pdf-obj-5.txt obj 5 0 Type: Referencing: Contains stream << /Filter /FlateDecode /Length 1282 >>
Verifying the file's creation.
C:\Users\SecurityNik>dir pdf-obj-5.txt Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of C:\Users\SecurityNik 12/22/2020 01:45 PM 5,948 pdf-obj-5.txt 1 File(s) 5,948 bytes 0 Dir(s) 37,858,271,232 bytes free
Running the type command on the file to see if anything stands out as suspicious nothing was returned.
C:\Users\SecurityNik>type pdf-obj-5.txt | more q 36 36 540 720 re W n q 1 0 0 1 39 734.74 cm q 100 0 0 18.26 0 0 cm /img0 Do Q Q q
At this point, I haven't found anything to confirm my suspicion that this is a malicious file. I then opened the file on my analysis machine using my browser. This is when I started laughing. I guess I'm a bit too paranoid.
False Positive
It turned out this was actually a legit email. I just was not expecting it. Similarly, I was already set to report this as Suspicious. I guess it is a good thing I took a second to look at it to see what might be of interest. How do I know it is legit? Well further evidence can be had with individuals within the organization to confirm this is legit. An important take away here, is that context is truly important when performing analysis.
References:
How SPF Works
Enforcing DMARC policy (reject) on an Office 365 tenant
No comments:
Post a Comment