Home / malwarePDF  

Trojan:HTML/Pdfphish.A


First posted on 25 November 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:HTML/Pdfphish.A.

Explanation :

Threat behavior

Installation

This threat is a malicious PDF file that uses social engineering to target enterprise users and steal their enterprise domain credentials.

It usually arrives attached to an email. We have seen the attachment use the following file names:

  • Help Desk.pdf
  • In a course to increase the Security of your mailbo1.pdf
  • In a course to increase the Security of your mailbox.pdf
  • IT Notification.pdf
  • IT Scheduled Maintenance.pdf
  • Mailbox Support Centre.pdf
  • Mailbox Maintenance Schedule.pdf
  • Mailbox Maintenance Schedule (2).pdf
  • Your email account was just used to sign in from chrome on Windows.pdf
  • Your network and email password will expire in 7 days.pdf


The PDF asks you to enter your enterprise domain credentials. We have seen the attachment use the following format:



Payload

Steals enterprise credentials


Clicking the link in the malicious PDF opens your web browser to a fake login website. We have seen this website hosted on various subdomains of jimdo.com, for example:

  • 90.jimdo.com
  • accessout.jimdo.com
  • accessup.jimdo.com
  • adm.jimdo.com
  • help0.jimdo.com
  • helpce.jimdo.com
  • helpde.jimdo.com
  • helping4.jimdo.com
  • helpyu3.jimdo.com
  • infohelp.jimdo.com
  • ithelpd76211.jimdo.com
  • ithelpo.jimdo.com
  • jjdes.jimdo.com
  • jma.jimdo.com
  • oi.jimdo.com
  • owa41.jimdo.com
  • owa8.jimdo.com
  • owaj.jimdo.com
  • owalog.jimdo.com
  • owj.jimdo.com
  • updatek.jimdo.com
  • youme.jimdo.com


The website asks for your:

  • Domain
  • User name
  • Email address
  • Password


An example of this website is shown below:



If you enter your credentials, the website thanks you for your time and tells you that you will be contacted at a later date.

Depending on the enterprise security configuration in place, the attacker may be able to use the stolen credentials to:

  • Log on to steal and send emails from the breached account
  • Remotely log on to the breached PC, install malware on it, and further infect the network


Affected users should reset their domain credentials, and have their workstations and email activity audited for malicious remote access.



Analysis by Geoff McDonald

Symptoms

Alerts from your security software might be the only symptom you'll get.

Last update 25 November 2015

 

TOP

Malware :

Family: