Today we analyze a seemingly normal PDF Phishing campaign but it soon leads to a very large victim credential server.
Filename: 1.pdf
MD5: 529F3E3CB0C3C00E98789540BDD9BFB2
Sample: Download via Reverse.it
Video Walkthrough
Details & Infection Roadmap
Due to the large infection chain this malware utilizes, we begin today's analysis with a roadmap. During the course of this analysis, it may be useful to reference this image:
We begin by opening the PDF and are greeted with a familiar phishing message stating our document is secured and we must click the link to view the complete document:
PDF Analysis: FTP Discovery
Inspecting the PDF with PDFStreamDumper reveals that the link attempts to download files from an FTP server. Full credentials for the server are provided in the URL:
Logging into the attacker's server reveals several hosted ZIPs containing malicious executables disguised as PDFs.
Infection Flow & Payload Deployment
Executing the extracted EXE unleashs the infection chain, dropping executables and scripts. This includes "abb1.bat" and "Adob9.vbs", while showing a blank "245.jpg" as a distraction.
Technical Details: Credential Exfiltration
The malware retrieves the user's IPCONFIG information and writes it to "adip2.klc" before using a dropped FTP client to send the data to the C2 server.
Victim Repository Analysis
Logging into the exfiltration server reveals a massive repository of user credential records organized by date and IP.
Stolen data is stored in clear text, compromising emails and passwords from various browsers.
Conclusion & Protection
This phishing campaign shows that high-volume credential theft often relies on simple, multi-stage delivery methods. Always verify document sources and ensure your OS shows full file extensions.
