PDF files are commonly used for their versatility, making them a prime target for malware delivery because they can embed malicious scripts or links.
Their widespread use and trusted reputation make users more susceptible to opening infected PDFs without knowledge or intent.
Cybersecurity analysts at AhnLab Security Emergency Response Center (ASEC) have discovered that hackers are actively using PDF files as a delivery method for various ransomware variants.
The hackers distributed weaponized PDF files that contained malicious URLs.
Hackers Weaponize PDF Files
A malicious URL can be accessed by clicking on buttons in PDFs. The presented screen prompts users, and clicking on the red buttons takes them to a certain URL.
Here below, we have mentioned the URL:-
- hxxps://fancli[.]com/21czb7
The link redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a page where the decryption password is revealed.
Here below, we have mentioned the redirected URL:-
- hxxps://pimlm[.]com/c138f0d7e1c8a70876e510fcbb478805FEw1MBufh9gLOVv4erOokBCFouvPxBIEeH3DBT3gv3
After downloading, the page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users find the executable file, “File.exe.”
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Executing File.exe as administrator changes the registry and uses browser login credentials to collect IP and location data. After that, further malware is downloaded to the designated location:-
- C:\Users\%USERNAME%\Pictures
- C:\Users\%USERNAME%\Pictures\Minor Policy
Here below, we have mentioned the contents of the downloaded malware:-
- Ransomware
- PUP
- Infostealers
- Droppers
Execution flow
A few of the downloaded files had hidden and system properties set. The flow starts from a PDF with a malicious URL, leading to the download and execution of various malware types.
The malicious file, “bus50.exe” from the following location is an SFX file containing a CAB file, and executing the SFX file creates malicious files in the ‘IXP000.TMP’ folder:-
- hxxp://109.107.182[.]2/race/bus50.exe
SFX files that come after one another create directories that contain more and more data, totaling-
- 6 SFX files
- 7 additional malware
As a recommendation, researchers urged to avoid downloading cracks and illegal programs and not only that, even during the execution of files, make sure to exercise strong caution.
IOC
Hash (MD5)
- d97fbf9d6dd509c78308731b0e57875a (PDF)
- 9ce00f95fb670723dd104c417f486f81 (File.exe)
- 3837ff5bfbee187415c131cdbf97326b (SFX)
- 7e88670e893f284a13a2d88af7295317 (RedLine)
Download URLs
- hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1
- hxxp://171.22.28[.]226/download/Services.exe
- hxxp://109.107.182[.]2/race/bus50.exe
- hxxp://albertwashington[.]icu/timeSync.exe
- hxxps://experiment[.]pw/setup294.exe
- hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.
