Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - Static Analysis

In this 6 part series, we will analyze a recent phishing attempt through an email which was sent to me. In the first post we looked at the email. The second post we did an analysis using Wireshark. In this post we will perform some basic static analysis.  


The file which was downloaded was "invoice1211_pdf82.zip"

Verifying the .zip file extension
1. Using the file command suggest this is a .zip file



2. Let's use XXD to read the raw bytes. 
If this is a true .zip file it, the first 4 bytes should consist of "50 4B 03 04". Let's see if that is true.


Looks like we have a match.
Interesting note: If you look you will see there is a file named "invoice1211_pdf.exe" in this archive.

Verifying the contents of the invoie1211_pdf82.zip






As can be seen above, we do have an .exe file in this archive.


Let's extract the contents of this file

Looks like we have the final file.

Analyzing invoice1211_pdf.exe
1.            Using the "file" command.




Looks like we have a Windows Executable

2. Using "strings" command
strings invoice1211_pdf.exe | more















We can see some of the windows APIs being used. Of most importance was "name=BadTimes Inc."

Grabbing the md5 hash
md5sum invoice1211_pdf.exe
78cf05faa79b41b4be4666e3496d1d54  invoice1211_pdf.exe

Verifying the Hash against virus total









With detection ratio of 24/54 I would definitely consider this as malicious.

Viewing the file in Windows Explorer











When the file was opened in Windows Explorer, it looked just like any regular .pdf file. However, this as we will see later is no .pdf file.

Using PeID


From the above we can see that the file was built using "Microsoft Visual C++ 6.0". We also see this is a Windows 32 GUI application. More importantly, when you look at the file in PEiD, we can see the actual extension is .exe and not _pdf.

Identifying Windows API














From the above we see this program is calling 4 windows APIs.

In the next post we will perform some basic dynamic analysis to see what we can learn by executing the file.


.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25  
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53 

Reference:
http://unixhelp.ed.ac.uk/CGI/man-cgi?file
http://linux.die.net/man/1/xxd
http://linux.die.net/man/1/zip
http://linux.die.net/man/1/unzip
http://linux.die.net/man/1/strings
http://www.virustotal.com
http://www.aldeid.com/wiki/PEiD
http://www.dependencywalker.com/

No comments:

Post a Comment