Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phishing PDFs with multiple links - Detection - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing PDFs with multiple links - Detection

One advantage of static analysis over dynamic analysis, is that it can reveal more information than dynamic analysis. In the last analysis example of a phishing PDF, we uncovered more URLs via static analysis.

I did analyze this sample further, and discovered that there have been several similar phishing PDFs in the last months. What this actor does, is producing these phishing PDFs from the same Word document, only changing 2 URLS, and not noticing that there are actually 5 URLs.

Here is the metadata:

Since the actor is using the same tools to create these phishing PDFs,and is leaving 3 of the URLs unchanged, it becomes simple to detect. For example, here is a simple YARA rule to detect these phishing PDFs (I did defang the URL):

        $a = "%PDF-1.5"
        $b = "Word 2016"
        $c = "hxxp://www.giuseppemarzulli[.]it/"
        @a == 0 and $b and $c


A deep analysis of malware with static and dynamic analysis can help reveal actionable IOCs.

Didier Stevens
Microsoft MVP Consumer Security


652 Posts
ISC Handler
Apr 2nd 2018

Sign Up for Free or Log In to start participating in the conversation!