The PDF file contains several images and and two interesting URLs
The first URL, http://dropboox[.]ga clearly is a phishing link for Dropbox, however in this case it is not being used.
The other link, is still active by the time of writing this post, https://urlz[.]fr/6DWd, redirects to http://mineralsconventionregistration[.]ca/Scann%20copy.z which it is a compressed file. In VT this file is being flagged: https://www.virustotal.com/#/file/670bca12bb20921b4689bb2651a8cc7b87840f31dbf729694027db4fb64e3296/detection
The first time I tried to detonate the file in several sandboxes it did not work, so I was interesting to understand a bit more. The file inside has .JAR extension, however the magic number for this file doesn't really correspond with the extension of the file, as it is MS-DOS
A first analysis of the file shows interesting things. The beginning of the file is a MS-DOS file:
However, it contains several more files inside:
The analysis from previous tools seems is not accurate as one of the MS-DOS file has 7.2MB, however the total file is only around 800k. Checking with other tools, the analysis is different, for example, with foremost the MS-DOS files doesn't show
When unzipping the the .jar file, there is some warning :
I did a manual analysis on the file and as first look I even see some HTML, PHP and JavaScript code, right after the first MS-DOS code
When dumping the first PHP file, the content clearly is a phishing website to get passwords from email.
Then I forced my sandbox to detonate the file as JAR file, and ignoring the magic number, this worked and I could see they typical Adwind behaviour.
The connection to the Jrat C&C is 185.29.10.138:6060 (jrat138.duckdns.org). That IP is not new to me, as I have seen this IP linked to Qrat / Qrypter / Adwind in some analysis I i did in the past .
As I said in the beginning, the file doesn't detonate in some sandboxes, due to how it is built. For example, this is the analysis from HA with no detonation
https://www.hybrid-analysis.com/sample/94f087e4f03d4c109db44e9c111e8a4c500ef619ccb5a4833b283495b9ecb23e?environmentId=100
Other sandboxes, detects that the extension doesn't match the magic number
Regarding the AV, it seems some of them detectes the HTML, in the beginning of the file, as phishing. While other detect it as Adwind
The behavior of the DOC files is very similar. However, instead of including the URLs in the PDF file, CVE-2017-11882 is exploited to download the maliciuos file:
http://mineralsconventionregistration[.]ca/scan.hta
In the end, the final payload is exactly the same in bot cases, however the URL is not exactly the same:
http://mineralsconventionregistration[.]ca/scan.jar
Regardless of what the AV / Sandboxes detect, and what the magic number is, when the user opens the file via the explorer, the file is executed like a normal Java file, hence it gets infected with Adwind. It seems that bad guys are trying with this techniques to by-pass some detection controls.
IOCs:
http://dropboox[.]ga
185.29.10.138:6060
jrat138.duckdns[.]org
http://mineralsconventionregistration[.]ca/scan.jar
http://mineralsconventionregistration[.]ca/scan.hta
1540f31ed4c2a721771dbc452b8feeaa
a9122eb1e0345568540ae6a9e35432cc
1540f31ed4c2a721771dbc452b8feeaa
