(844) 627-8267 | Info@NationalCyberSecurity
(844) 627-8267 | Info@NationalCyberSecurity

PDF Files Weaponized to Deliver Multiple Ransomware Variants | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

PDF files are commonly used for their versatility, making them a prime target for malware delivery because they can embed malicious scripts or links. 

Their widespread use and trusted reputation make users more susceptible to opening infected PDFs without knowledge or intent.


Cybersecurity analysts at AhnLab Security Emergency Response Center (ASEC) have discovered that hackers are actively using PDF files as a delivery method for various ransomware variants.

The hackers distributed weaponized PDF files that contained malicious URLs.

Hackers Weaponize PDF Files

A malicious URL can be accessed by clicking on buttons in PDFs. The presented screen prompts users, and clicking on the red buttons takes them to a certain URL.

Malicious PDF (Source – ASEC)

Here below, we have mentioned the URL:-

  • hxxps://fancli[.]com/21czb7

The link redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a page where the decryption password is revealed.

Redirected page (Source – ASEC)

Here below, we have mentioned the redirected URL:-

  • hxxps://pimlm[.]com/c138f0d7e1c8a70876e510fcbb478805FEw1MBufh9gLOVv4erOokBCFouvPxBIEeH3DBT3gv3

After downloading, the page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users find the executable file, “File.exe.”


Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Executing File.exe as administrator changes the registry and uses browser login credentials to collect IP and location data. After that, further malware is downloaded to the designated location:-

  • C:\Users\%USERNAME%\Pictures
  • C:\Users\%USERNAME%\Pictures\Minor Policy

Here below, we have mentioned the contents of the downloaded malware:-

Execution flow

A few of the downloaded files had hidden and system properties set. The flow starts from a PDF with a malicious URL, leading to the download and execution of various malware types.

Malware distribution (Source – ASEC)

The malicious file, “bus50.exe” from the following location is an SFX file containing a CAB file, and executing the SFX file creates malicious files in the ‘IXP000.TMP’ folder:-

  • hxxp://109.107.182[.]2/race/bus50.exe

SFX files that come after one another create directories that contain more and more data, totaling-

  • 6 SFX files
  • 7 additional malware
Execution flow (Source – ASEC)

As a recommendation, researchers urged to avoid downloading cracks and illegal programs and not only that, even during the execution of files, make sure to exercise strong caution.


Hash (MD5)

  • d97fbf9d6dd509c78308731b0e57875a (PDF)
  • 9ce00f95fb670723dd104c417f486f81 (File.exe)
  • 3837ff5bfbee187415c131cdbf97326b (SFX)
  • 7e88670e893f284a13a2d88af7295317 (RedLine)

Download URLs

  • hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1
  • hxxp://171.22.28[.]226/download/Services.exe
  • hxxp://109.107.182[.]2/race/bus50.exe
  • hxxp://albertwashington[.]icu/timeSync.exe
  • hxxps://experiment[.]pw/setup294.exe
  • hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM

Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.


Click Here For The Original Source.

National Cyber Security