Home / malware Trojan:HTML/Pdfphish.A
First posted on 25 November 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:HTML/Pdfphish.A.
Explanation :
Threat behavior
Installation
This threat is a malicious PDF file that uses social engineering to target enterprise users and steal their enterprise domain credentials.
It usually arrives attached to an email. We have seen the attachment use the following file names:
- Help Desk.pdf
- In a course to increase the Security of your mailbo1.pdf
- In a course to increase the Security of your mailbox.pdf
- IT Notification.pdf
- IT Scheduled Maintenance.pdf
- Mailbox Support Centre.pdf
- Mailbox Maintenance Schedule.pdf
- Mailbox Maintenance Schedule (2).pdf
- Your email account was just used to sign in from chrome on Windows.pdf
- Your network and email password will expire in 7 days.pdf
The PDF asks you to enter your enterprise domain credentials. We have seen the attachment use the following format:
Payload
Steals enterprise credentials
Clicking the link in the malicious PDF opens your web browser to a fake login website. We have seen this website hosted on various subdomains of jimdo.com, for example:
- 90
.jimdo.com - accessout
.jimdo.com - accessup
.jimdo.com - adm
.jimdo.com - help0
.jimdo.com - helpce
.jimdo.com - helpde
.jimdo.com - helping4
.jimdo.com - helpyu3
.jimdo.com - infohelp
.jimdo.com - ithelpd
76211.jimdo.com - ithelpo
.jimdo.com - jjdes
.jimdo.com - jma
.jimdo.com - oi
.jimdo.com - owa41
.jimdo.com - owa8
.jimdo.com - owaj
.jimdo.com - owalog
.jimdo.com - owj
.jimdo.com - update
k.jimdo.com - youme
.jimdo.com
The website asks for your:
- Domain
- User name
- Email address
- Password
An example of this website is shown below:
If you enter your credentials, the website thanks you for your time and tells you that you will be contacted at a later date.
Depending on the enterprise security configuration in place, the attacker may be able to use the stolen credentials to:
- Log on to steal and send emails from the breached account
- Remotely log on to the breached PC, install malware on it, and further infect the network
Affected users should reset their domain credentials, and have their workstations and email activity audited for malicious remote access.
Analysis by Geoff McDonald
Symptoms
Alerts from your security software might be the only symptom you'll get.
Last update 25 November 2015