Advertisements

The Perils of PDF

The Dodge Ram ProMaster cargo van we rented to haul our bikes to Glens Falls (and bring some furniture back) sat on their 2500 truck chassis, thus weaponizing an obvious phishing email waiting for me on our return:

Subject: About the Dodge ram 2500
Kindly review full details of your order.
Methner

The From and To addresses were identical, which is always a tipoff, as was the fact neither were any of my addresses. The email had an attached PDF, of course, although the context suggested handling it with the same nonchalance I’d use with any lump of high-level radioactive waste.

That brief text tripped my junk filters, but, somewhat to my surprise, all the scanners at VirusTotal passed Order 372.PDF without complaint (since then, one scanner woke up, smelled the scam, and tagged the file as “PDF/Phishing.A.Gen”).

Converting the PDF to plain text with pdftotext produced an empty file, so the PDF payload isn’t a script.

Passing the PDF through strings revealed a URL for a (probably compromised) server unrelated to the (obviously bogus) email address, wrapped with layout verbiage suggesting a clickable link:

<</Subtype/Link/Rect[ 205.25 467.11 369.91 499.51] /BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI(http://bogus-domain-here.com/wp-settings/bloglist/hh/index.php) >>>>

Passing the PDF through pdftoppm produced this comforting image:

Bogus Order Form - Image

Bogus Order Form – Image

The “100% SECURE” padlock logo, with a green check for added confidence, is a nice touch.

At this point, if a product involves The Cloud, you can deal me out.

Advertisements
  1. Leave a comment

Spam comments vanish. Comment moderation may cause a delay.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s