Threat Research

Phishing PDF Files Downloading Malicious Packages – ASEC BLOG

Securonix

ASEC observed PDF-based phishing campaigns distributing files that lure users to malicious URLs, triggering a chain that downloads and executes more payloads. The flow includes decryption prompts, admin-level execution, Defender evasion, browser credential theft, and cascading downloads of various malware families, including ransomware and infostealers. hashtags: #RedLine #Fancli #Pimlm #AhnLab #V3

Keypoints

  • The phishing/trick uses distributed PDFs that claim to offer games or cracks to entice users.
  • Clicking inside the PDF leads to a malicious URL, initiating a redirect chain.
  • The redirected page exposes an “Archive password: 1234” prompt to decompress an encrypted file.
  • Decompression yields File.exe, which when run with admin rights, modifies registry to disable Windows Defender.
  • The malware steals browser-based login information to obtain IP/location data and downloads additional threats to user folders.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Attachment – PDFs distributed with malicious URLs lure users to click a link. “Clicking the button within the distributed PDF files connects users to a malicious URL.”
  • [T1204] User Execution – User action (clicking inside the PDF) triggers the malware download chain. “Clicking the button within the distributed PDF files connects users to a malicious URL.”
  • [T1105] Ingress Tool Transfer – Additional malware downloaded from remote servers after initial execution. “additional malware are downloaded in the path below.”
  • [T1562.001] Impair Defenses – Registry change to disable Windows Defender. “the registry value is modified as shown below to disable Windows Defender. * HKLMSOFTWAREPoliciesMicrosoftWindows Defender:DisableAntiSpyware=1”
  • [T1555.003] Credentials in Web Browsers – Theft of browser login information to obtain IP/location data. “IP and location information is stolen using the browser login information…”
  • [T1027] Obfuscated/Compressed Files – Encrypted/compressed archive used with a password to decrypt and access payload. “Archive password: 1234” and the encrypted file prompt/decrypt flow.

Indicators of Compromise

  • [Hash (MD5)] – d97fbf9d6dd509c78308731b0e57875a, 9ce00f95fb670723dd104c417f486f81, and 2 more hashes (PDF, File.exe, SFX, RedLine)
  • [URL] – hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1, hxxp://171.22.28[.]226/download/Services.exe, hxxp://109.107.182[.]2/race/bus50.exe, hxxp://albertwashington[.]icu/timeSync.exe, hxxps://experiment[.]pw/setup294.exe, hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM
  • [Domain] – fancli[.]com, pimlm[.]com (domains used in the redirection flow)
  • [IP] – 109.107.182[.]2, 171.22.28[.]226 (hosts used in the download/redirect steps)
  • [FileName] – File.exe, Setup.7z (extracted/used in malware installation)

Read more: https://asec.ahnlab.com/en/58660/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint