Thursday, November 30, 2023

Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants

PDF files are commonly used for their versatility, making them a prime target for malware delivery because they can embed malicious scripts or links. 

Their widespread use and trusted reputation make users more susceptible to opening infected PDFs without knowledge or intent.

Cybersecurity analysts at AhnLab Security Emergency Response Center (ASEC) have discovered that hackers are actively using PDF files as a delivery method for various ransomware variants.

The hackers distributed weaponized PDF files that contained malicious URLs.

Hackers Weaponize PDF Files

A malicious URL can be accessed by clicking on buttons in PDFs. The presented screen prompts users, and clicking on the red buttons takes them to a certain URL.

Malicious PDF (Source – ASEC)

Here below, we have mentioned the URL:-


The link redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a page where the decryption password is revealed.

Redirected page (Source – ASEC)

Here below, we have mentioned the redirected URL:-


After downloading, the page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users find the executable file, “File.exe.”


Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Executing File.exe as administrator changes the registry and uses browser login credentials to collect IP and location data. After that, further malware is downloaded to the designated location:-


C:Users%USERNAME%PicturesMinor Policy

Here below, we have mentioned the contents of the downloaded malware:-





Execution flow

A few of the downloaded files had hidden and system properties set. The flow starts from a PDF with a malicious URL, leading to the download and execution of various malware types.

Malware distribution (Source – ASEC)

The malicious file, “bus50.exe” from the following location is an SFX file containing a CAB file, and executing the SFX file creates malicious files in the ‘IXP000.TMP’ folder:-


SFX files that come after one another create directories that contain more and more data, totaling-

6 SFX files

7 additional malware

Execution flow (Source – ASEC)

As a recommendation, researchers urged to avoid downloading cracks and illegal programs and not only that, even during the execution of files, make sure to exercise strong caution.


Hash (MD5)

d97fbf9d6dd509c78308731b0e57875a (PDF)

9ce00f95fb670723dd104c417f486f81 (File.exe)

3837ff5bfbee187415c131cdbf97326b (SFX)

7e88670e893f284a13a2d88af7295317 (RedLine)

Download URLs







Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.

The post Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants appeared first on Cyber Security News.

   Read More 

Cyber Security News