Resubmissions

24/06/2024, 02:10

240624-cl1mqavcpg 10

24/06/2024, 01:48

240624-b78d1stgjd 10

General

  • Target

    evil.pdf

  • Size

    144KB

  • MD5

    894da0f85f06457707ce5c0707d1987d

  • SHA1

    a76ef4c01108f9faa7e1bcaa32a95a57b3cfa638

  • SHA256

    44511535438002e9fedf7203018067e3c806e38d9dfffcdbb0e1dd540d97549f

  • SHA512

    d42578a77ee8f67bcb3de028ecb5cfa4ff9e92aebf4e428a39b1e3dbcb8faf6cd56e5fd8d783a7619e4d6b0865ce86a329e0e1c55bd1dd3b614c30e1c276e7d5

  • SSDEEP

    3072:aiuKqbFks+DtTE+8kGuBz8YtXbSsR/8Wp13zgLNZHjV+4kI7wS:tw4tnGIz8ib9xv18PHjVX7wS

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://tmpfiles.org:443/dl/8526939/putty.exe

Signatures

  • Metasploit family
  • PDF contains JavaScript

    Detects presence of JavaScript in PDF files.

  • PDF contains one or more embedded files

    Detects presence of embedded files in PDF files.

  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • One or more HTTP URLs in PDF identified

    Detects presence of HTTP links in PDF files.

  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • evil.pdf
    .pdf
    • http://i.imgur.com/qPEFD7Z.gif

    • http://i.imgur.com/wm3CpTT.jpg

    • https://emkei.cz/

  • Spreading.pdf
    .exe windows:4 windows x86 arch:x86

    481f47bbb2c9c21e108d65f52b04c448


    Headers

    Imports

    Sections