The content of the variable “DocuSign”, which was delimited by a “ ”, was decrypted using a simple algorithm. Cleaning up the file revealed that the actual code was just six lines. The contents of the file were filled with the Attribution-ShareAlike 4.0 International license as line comments, and in between them is the actual VBS code. To confirm that the PDF file was indeed encrypted using XOR, we needed to analyze the VBS file. A quick look at the contents of the pdf suggested that it was encrypted using XOR with a single byte key.įigure 3. The AdobeSign.pdf is not actually a PDF, but an encrypted file, which is decrypted by the ClientSignature.vbs. Excerpt of the script code found in the phishing HTMLĬlicking Alternative_View.OnlineWeb_. Viewing the source of the HTML page reveals that a file named “ProformaInvoice.zip” will be saved to the disk, mimicking a downloaded file.įigure 2. Unfortunately, because it is widely used, this service is often used as a theme in phishing or targeted malware campaigns.įigure 1.1 DocuSign themed invoice for review The emails had a ZIP attachment containing an HTML that was designed to look like an invoice signed by DocuSign, which is a well-known service that allows organizations to manage electronic agreements securely. We recently received samples that we suspected were “phishy” in nature, but after analyzing the email attachment a severe threat was exposed.
0 kommentar(er)
