This article examines a suspicious PDF viewer application suspected of being linked to DPRK malware. It explores the detailed analysis of an application named “Dedicated PDF Viewer” and a corresponding PDF file. Although the viewer does not appear to be outright malicious, it raises concerns due to its unique features tied to known malicious activities. Affected: PDF viewer applications, DPRK-related malware detection
Keypoints :
- The “Dedicated PDF Viewer” requires a specific application to open and extract encrypted embedded PDFs.
- The application has been detected as potentially malicious on VirusTotal, with ties to previous DPRK malware.
- A README file hints that the viewer was created as part of a computer science project.
- The use of a unique XOR key, previously associated with DPRK malware, adds to its suspicious nature.
- An open-source counterpart, available on GitHub, provides insight into the original functionalities of the application.
MITRE Techniques :
- TA0040: Reconnaissance – The application monitors for specific PDF files to determine if they can be opened.
- T1106: Execution: Native API – Uses the Cocoa framework API for file management and PDF handling.
- T1055: Process Injection – Though not explicitly mentioned, the application accesses protected content, indicating potential for similar malicious activity.
- T1486: Data Encrypted for Impact – The application uses XOR encryption to obfuscate data within the PDF.
Indicator of Compromise :
- [File] Dedicated PDF Viewer.app.zip – 095184b6559bbe2e2fef999834d6905708ae254064193540d051f8c23910dfa6
- [File] OSX-PDF-Viewer mach-O – 6c925e2a39e8312c704575af4ad7fe75f161e73f92ffda6b9abd3663b6c789d4
- [File] Investment Opportunity – Fenbushi Capital.pdf – 743bd4c36afdcfaff4508fd613a4f4eee71d2e0bc5a31deb1c170d1039c953ae
- [File] Decrypted PDF – 37e6d18ba339b3efa5dd26e143af8bbeb8eefabbc4cfab72e6150e3bc3290b31
- [Repository] Open Source Related Project – https://github.com/PatrickSkinner/OSX-PDF-Viewer
Full Story: https://blog.kandji.io/another-pdf-viewer-is-it-malicious