Monday, January 11, 2021

Suspicious(?) PDF Analysis - Remittance detail from ...

Received a mail about Remittance Detail from Forsythe Technology Canada Inc. claiming to be from paymentremittanceinformation[at]wellsfargo.com. First off, I'm not expecting any remittance. 


At this point, I'm obviously concern that someone has targeted me, with the hope of the following:

1.    This mail bypasses any filter which maybe in place
2.    That I opened the PDF.

I guess 50% pass park is not bad. It did pass the filter. However, it was not convincing enough for me to open the PDF.

Taking a look first at the headers and extracting what I find important, we see:

Authentication-Results: spf=fail (sender IP is 205.139.110.120)
 smtp.mailfrom=wellsfargo.com; siriuscom.com; dkim=fail (body hash did not
 verify) header.d=wellsfargo.com;siriuscom.com; dmarc=fail action=oreject
 header.from=wellsfargo.com;compauth=none reason=451
Received-SPF: Fail (protection.outlook.com: domain of wellsfargo.com does not
 designate 205.139.110.120 as permitted sender)
 receiver=protection.outlook.com; client-ip=205.139.110.120;
 helo=us-smtp-1.mimecast.com;

I noticed the mail seems to have originated in outlook[.]com domain and have hit a number of servers within that domain. More importantly, it seems there are lots of failures as it relates to Sender Policy Framework (SPF).

Checking the file hash in VirusTotal, Google, Bing and Duck Duck Go, all returned 0 results at the time of my search.

C:\Users\SecurityNik>certutil -hashfile c:\tmp\trk971234427.pdf MD5
MD5 hash of c:\tmp\trk971234427.pdf:
6dbd1780250f64939227b82bfa4e5382
CertUtil: -hashfile command completed successfully.

Digging deeper, to learn about the PDF. Taking a peak in with PDFId.

C:\Users\SecurityNik>pdfid c:\tmp\trk971234427.pdf
PDFiD 0.2.7 c:\tmp\trk971234427.pdf
 PDF Header: %PDF-1.4
 obj                    9
 endobj                 9
 stream                 3
 endstream              3
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    0
 /JavaScript            0
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0
 /XFA                   0
 /URI                   0
 /Colors > 2^24         0

It is said that most malicious PDF documents, only have 1 page. We see above 1 page. That in itself is not suspicious. What do we have in the three streams.

C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 1,3,5
obj 1 0
 Type: /XObject
 Referencing:
 Contains stream

  <<
    /ColorSpace /DeviceRGB
    /Subtype /Image
    /Height 42
    /Filter /DCTDecode
    /Type /XObject
    /Width 230
    /BitsPerComponent 8
    /Length 6170
  >>


obj 5 0
 Type:
 Referencing:
 Contains stream

  <<
    /Filter /FlateDecode
    /Length 1282
  >>


obj 3 0
 Type: /XObject
 Referencing: 2 0 R
 Contains stream

  <<
    /Subtype /Form
    /Filter /FlateDecode
    /Type /XObject
    /Matrix [1 0 0 1 0 0]
    /FormType 1
    /Resources
      <<
        /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
        /Font
          <<
            /F1 2 0 R
          >>
      >>
    /BBox [0 0 36 10.35]
    /Length 55
  >>

Looking at obj 1 0  we see information which suggests an image. Information such as ColorSpace, Height 42, Width 230. We also see this seems to be of size 6170 bytes. 

Attempting to extracting this content from obj 1 0, we see the filter DCTDecode is not supported

C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 1 --filter
obj 1 0
 Type: /XObject
 Referencing:
 Contains stream

  <<
    /ColorSpace /DeviceRGB
    /Subtype /Image
    /Height 42
    /Filter /DCTDecode
    /Type /XObject
    /Width 230
    /BitsPerComponent 8
    /Length 6170
  >>

 "Unsupported filter: ['/DCTDecode']"


Taking advantage of PDFStreamDumper and looking at the HexDump of stream 1, we see a snapshot below of the first few bytes, suggesting this is a PDF file.


I then saved those bytes to a file named pdf-obj-1.jpg

C:\Users\SecurityNik>dir c:\tmp\pdf-obj-1.jpg
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of c:\tmp

12/22/2020  01:28 PM             6,170 pdf-obj-1.jpg
               1 File(s)          6,170 bytes
               0 Dir(s)  37,737,611,264 bytes free

You might also notice that the file size matches the results which was returned in the length of obj 1 0.

I then ran the Image SHA1 hash through VirusTotal and got no hits. Next stop, load up ProcessHacker before opening the image, to see if it creates any processes. The Image turned out to be the company logo.

Let's now look at obj 5 0. redirecting it's output to a file named pdf-obj-5.txt.

C:\Users\SecurityNik>pdf-parser c:\tmp\trk971234427.pdf --object 5 --filter --dump pdf-obj-5.txt
obj 5 0
 Type:
 Referencing:
 Contains stream

  <<
    /Filter /FlateDecode
    /Length 1282
  >>

Verifying the file's creation.

C:\Users\SecurityNik>dir pdf-obj-5.txt
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of C:\Users\SecurityNik

12/22/2020  01:45 PM             5,948 pdf-obj-5.txt
               1 File(s)          5,948 bytes
               0 Dir(s)  37,858,271,232 bytes free


Running the type command on the file to see if anything stands out as suspicious nothing was returned.

C:\Users\SecurityNik>type pdf-obj-5.txt | more
q
36 36 540 720 re
W
n
q
1 0 0 1 39 734.74 cm
q 100 0 0 18.26 0 0 cm /img0 Do Q
Q
q

At this point, I haven't found anything to confirm my suspicion that this is a malicious file. I then opened the file on my analysis machine using my browser. This is when I started laughing. I guess I'm a bit too paranoid. 

False Positive
It turned out this was actually a legit email. I just was not expecting it. Similarly, I was already set to report this as Suspicious. I guess it is a good thing I took a second to look at it to see what might be of interest. How do I know it is legit? Well further evidence can be had with individuals within the organization to confirm this is legit. An important take away here, is that context is truly important when performing analysis.


References:
How SPF Works
Enforcing DMARC policy (reject) on an Office 365 tenant

No comments:

Post a Comment