April 10, 2021

Interesting Behaviour on a Malicious File


Yesterday while in work, I was reviewing some files that were reported to us by non-IT people to see if they were malicious. One file in particular drew my attention. From the email, the file was showing as a .PDF file, so nothing unusual in that regard, yet when I downloaded it within a VM, the file extension changed to a .ISO file. Or at least, I think the file extension changed.

After looking over the file I decided to delete it, start up a web debugging tool to watch the traffic within the VM & could see that when I clicked on the download button in Gmail there was a call out to One Drive but then redirected to another site, which I then assumed the file was on & was then auto-downloaded to my VM.

My question is, has anyone ever seen this capability before of a file’s extension being changed when it was downloaded? Or is it simply the case that the .PDF was downloaded but then immediately deleted once the call was made to that secondary site & the .ISO file was downloaded? I’ve checked the recycle bin though but the PDF isn’t there, so I’m not sure which explanation is the right one.

I’ve taken screenshots of the email as well as the results of running the .ISO file within App Any Run, which showed what the file did once it was run. Links to the screenshots are below, any insight would be appreciated.

[https://ibb.co/HtNGQRH](https://ibb.co/HtNGQRH)

[https://ibb.co/rHz8TH1](https://ibb.co/rHz8TH1)

[https://ibb.co/0GM0zVC](https://ibb.co/0GM0zVC)

[https://ibb.co/HH8kvd2](https://ibb.co/HH8kvd2)

Comments

old-hand-2

Very interesting. Following this thread for insight from ppl more knowledgeable than I.

SplitReality2007

ward

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.