Phishing PDF Files Downloading Malicious Packages

by Prapattimynk, Wednesday, 8 November 2023 (4 months ago)
Phishing PDF Files Downloading Malicious Packages

AhnLab Security Emergency response Center (ASEC) observed the distribution of PDF files that contain malicious URLs. The domains linked from the PDF files indicate that similar PDFs are being distributed under the guise of downloading certain games or crack versions of program files. Below is a list of some of the PDF files that are being distributed.

  • Far-Cry-3-Multiplayer-Crack-Fix.pdf
  • STDISK-Activator-Free-Download-X64.pdf
  • Hungry-Shark-World-360-Apk-MOD-Diamond-Coin-Data-Free-Download-FULL.pdf
  • Video-Pad-Video-Editor-Free-Download-TOP-Full-Version.pdf
  • Roblox-Gift-Card-2018-Projected.pdf
  • minecraft-the-island-part-2.pdf

Clicking the button within the distributed PDF files connects users to a malicious URL. The figure below is the screen that is displayed upon opening a PDF file. Clicking any of the two buttons shaded in red leads to the following URL.

  • hxxps://fancli[.]com/21czb7
Figure 1. Malicious PDF

At the connected link, users are redirected to the following URL.

  • hxxps://pimlm[.]com/c138f0d7e1c8a70876e510fcbb478805FEw1MBufh9gLOVv4erOokBCFouvPxBIEeH3DBT3gv3

The figure below shows the website the users are redirected to. Clicking the blue download button downloads an encrypted compressed file and redirects users to a page that displays the password for decryption.

Figure 2. The page redirected from hxxps://fancli[.]com/21czb7

The redirected page displays the string “Archive password: 1234” for decryption to prompt users to decompress and execute the encrypted file. The figure below is the screen that displays the password for decompression after the users are redirected from the file downloading address.

Figure 3. Redirected page

Upon decompressing the downloaded file “Setup.7z” using the password, the File.exe in the figure shown below is created. 

Figure 4. Decompressed File.exe

When the File.exe process is run with admin privileges, the registry value is modified as shown below to disable Windows Defender.

* HKLMSOFTWAREPoliciesMicrosoftWindows Defender:DisableAntiSpyware=1

In addition, IP and location information is stolen using the browser login information of the infected PC and an IP location information API website. Then, additional malware are downloaded in the path below.

  • C:Users%USERNAME%Pictures
  • C:Users%USERNAME%PicturesMinor Policy

The downloaded malware types vary from ransomware PUP, Infostealers, droppers, and more. Some of the downloaded files have their properties set to hidden and system. The figure below is the screenshot of some of the malicious files that are downloaded.

Figure 5. Additional files downloaded by the File.exe malware

As shown in the schematic below, the overall flow of malware distribution goes from a PDF file that contains the initial malicious URL for prompting users to download and execute the malware. The malware downloads and executes numerous other malware such as ransomware, adware, and Infostealers.

Figure 6. Overall schematic of malware distribution

In particular, the malware that is downloaded from hxxp://109.107.182[.]2/race/bus50.exe is an SFX file comprised of a CAB file. When the SFX file is executed, a file that performs malicious behaviors and another SFX file are created in the “IXP000.TMP” folder under the %TEMP% path. The SFX file in the subfolder creates folders with names in which the numbers behind the “IXP” string increase (such as “IXP001.TMP”) under the %TEMP% path and results in the creation of subfiles. This process is repeated until a total of 6 SFX files and 7 additional malware are created.

Figure 7. Execution flow of the SFX-type malware

An SFX file in CAB format was introduced in the ASEC Blog in 2021.

Many files with similar formats are being distributed aside from the ones introduced in the ASEC Blog. Users must refrain from using crack and illegal programs and proceed with caution when executing files.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below. The IOCs are listed on this post as well.

Figure 8. Detection and blocking by V3
Figure 9. SFX file behavior detection and blocking by V3

[File Detection]

  • Phishing/PDF.Generic (2023.10.25.02)
  • Downloader/Win.BeamWinHTTP.C5530057 (2023.10.25.02)
  • Dropper/Win.Generic.X2198 (2023.10.31.00)
  • Trojan/Win.RedLine.R619129 (2023.10.31.01)

[Behavior Detection]


Hash (MD5)

  • d97fbf9d6dd509c78308731b0e57875a (PDF)
  • 9ce00f95fb670723dd104c417f486f81 (File.exe)
  • 3837ff5bfbee187415c131cdbf97326b (SFX)
  • 7e88670e893f284a13a2d88af7295317 (RedLine)

Download URLs

  • hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1
  • hxxp://171.22.28[.]226/download/Services.exe
  • hxxp://109.107.182[.]2/race/bus50.exe
  • hxxp://albertwashington[.]icu/timeSync.exe
  • hxxps://experiment[.]pw/setup294.exe
  • hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.