Yesterday while in work, I was reviewing some files that were reported to us by non-IT people to see if they were malicious. One file in particular drew my attention. From the email, the file was showing as a .PDF file, so nothing unusual in that regard, yet when I downloaded it within a VM, the file extension changed to a .ISO file. Or at least, I think the file extension changed.
After looking over the file I decided to delete it, start up a web debugging tool to watch the traffic within the VM & could see that when I clicked on the download button in Gmail there was a call out to One Drive but then redirected to another site, which I then assumed the file was on & was then auto-downloaded to my VM.
My question is, has anyone ever seen this capability before of a file’s extension being changed when it was downloaded? Or is it simply the case that the .PDF was downloaded but then immediately deleted once the call was made to that secondary site & the .ISO file was downloaded? I’ve checked the recycle bin though but the PDF isn’t there, so I’m not sure which explanation is the right one.
I’ve taken screenshots of the email as well as the results of running the .ISO file within App Any Run, which showed what the file did once it was run. Links to the screenshots are below, any insight would be appreciated.