Inspecting a malicious PDF

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I am relaxing when a PDF pops up and I have to inspect this file.

I open said PDF in Notepad++ and search "http".

I find a link to view-source:http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html

I have of course added this link, so http : //monks dot org /cache/rZSOPqvMEj/bolero_Haplodoci.html is the actual link but be careful.

Code:
<head>
<meta name="description" content="ok file uploaded">
<meta http-equiv="refresh" content="0;URL=https://loubanas.xyz/3wFzHB"/>
</head>
<body>
<!-- Hello! -->
</body>

Now we know this just redirections to loubanas, wtf is this?

Time to again use view-source on https : //loubanas . xyz/3wFzHB ( ALSO DO NOT CLICK ) view-source:https : //loubanas . xyz/3wFzHB

Code:
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta charset="UTF-8"><meta content="origin" name="referrer"><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"

We can beautify the above, to easier read this.

Unfortunately, it would appear that when you load the website hosted by 49.51.172.149 (Tencent owned), you are 302 redirected to Google. This is pretty freakin' weird!

What are they doing.. the generated PDF attached name is Unpaid_Inv#547Y.pdf

They are really just mass-mailing everyone most probably.. to open the PDF, click, and redirect.

1580218288795.png

Very damn strange.

Code:
*Possibly malicious web addresses below*
https://loubanas.xyz/3wFzHB
http://monks.org/cache/rZSOPqvMEj/bolero_Haplodoci.html

In other cases, you may find this redirects to malicious software or a cryptominer, make sure to use this URL scanning tool to check any and all link/redirects you find for malware:

 
Last edited:
Top