Analyzing Steal Bank Account with Malicious PDF

Hi everyone, as have time I don't post anything, I decided to write one more analysis about stolen bank accounts and malicious PDFs used for it.

Normally I receive daily many of these kinds of e-mails, sometimes I like to spend time verifying if the attacker improved the strategy to make the target. Let's do it, in practice.

Below is the email received.

The email used is random/unknown,?this doesn't represent the legitimate company, and it has a PDF attachment.

Analysis Static

I downloaded the file in my Kali Linux and started the analysis using Peframe.

Was possible to validate that the file is a PDF, and it has a suspicious URL. After I used the PDF-PARSE to double-check if the URL really is inside the PDF file..

After discovering the suspicious URL, I made an analysis using? https://urlscan.io and found a history of other suspicious URLs linked to the same, a redirect to resgatarponto[.]me.

Bellow is the other URLs connected with the initial URL.

By the way, I checked how the domain Livelo was registered and which DNS server is responsible for it.

The false domain has other DNS servers

Dynamic Analysis

Now I used the https://urlquery.net to check what's happens when I try to open the URL found inside the PDF.

The same makes two redirects for other URLs:

• lkadkasjdklsa[.]z13[.]web[.]core[.]windows[.]net (initial URL)
• bbpontosonlinsx[.]z1[.]web[.]core[.]windows[.]net
• resgateapp[.]top

After, I opened the PDF in my Flare-VM to make a dynamics analysis.

In the "Clique Aqui" (click here) I found the initial link. When I clicked on the same, I was redirected to other sites, to according the screenshot below.

As we can see above, the site asks to fill in CPF, document unique and used to identification in Brazil. After I was redirected to other pages to fill with my bank account. At this moment the bank account is stolen to according the image below.

This a simple attack that has victimized a lot of users for don't pay attention to the details of e-mail..

Recommendations

• Pay attention all details in the e-mail received like to he sender name, e-mail, domain used, attachmet, links and etc.
• Carefull with suspecious e-mails and its with attachments, if you aren't sure about the contents, so don't open
• Normally the banks doesn't send this kind of url.

Tools used

• peframe
• pdf-parse
• Flare-VM
• https://urlscan.io
• https://urlquery.net
• https://centralops.net/co/