{"id":1172,"date":"2024-08-30T05:05:22","date_gmt":"2024-08-30T05:05:22","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1172"},"modified":"2025-07-28T15:54:01","modified_gmt":"2025-07-28T15:54:01","slug":"virus-total-delivers-clean-result-for-malicious-pdf-file","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/virus-total-delivers-clean-result-for-malicious-pdf-file\/","title":{"rendered":"Virus Total Delivers Clean Result For Malicious PDF file"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"500\" height=\"304\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_featimg_header.jpg\" alt=\"\" class=\"wp-image-1180\"\/><\/figure>\n<\/div>\n\n\n<p>This PDF file was received in a suspicious email from an unknown sender:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"171\" height=\"177\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img1.png\" alt=\"\" class=\"wp-image-1173\"\/><figcaption class=\"wp-element-caption\"><em>Figure 1 Attachment in spam mail<\/em><\/figcaption><\/figure>\n\n\n\n<p>When we checked the hash value of the file on the Virus Total website to determine whether it had been flagged as malicious, the file was present, but it&#8217;s detection rate was 0\/56. Here is that link. &nbsp;We have continued to monitor and as of the latest analysis, the detection rate had increased to only 15\/56 with many of the leading antivirus tools failing to detect.<\/p>\n\n\n\n<p>We have dissected the file to look for any malicious content inside.<\/p>\n\n\n\n<p><strong>Static Analysis:<\/strong><\/p>\n\n\n\n<p>We found the following suspicious code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  &lt;&lt;\n\n    \/Type \/Action\n\n    \/S \/URI\n\n    \/URI (https:\n\n    \/ \/bit.ly\n\n    \/2p9sWKu )\n\n  &gt;&gt;\n\n\/StructParent 0<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&gt;<\/p>\n<\/blockquote>\n\n\n\n<p>Note the link: bit(.)ly \/2p9sWKu (short url)<\/p>\n\n\n\n<p>Expanded URL: hxxp:\/\/democrats(.)ge\/images\/stories\/august\/documents(.)php<\/p>\n\n\n\n<p><strong>Dynamic Analysis:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"883\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img2-1024x883.png\" alt=\"\" class=\"wp-image-1174\"\/><figcaption class=\"wp-element-caption\"><em>Figure 2 PDF Dynamic analysis<\/em><\/figcaption><\/figure>\n\n\n\n<p>When we executed the suspicious PDF file, a message reads that it is a \u201cSecured PDF Online Document\u201d which can be viewed on the Adobe site. The same shortened URL is found to be the online site here.<\/p>\n\n\n\n<p><strong>Website and Code Analysis:<\/strong><\/p>\n\n\n\n<p>The Virus Total result of the above URL identifies that it is malicious and a phishing site. See that link here.<\/p>\n\n\n\n<p>We visited the site and downloaded that php code for analysis. It was heavily obfuscated.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1519\" height=\"517\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img3.gif\" alt=\"\" class=\"wp-image-1175\"\/><\/figure>\n\n\n\n<p>So, we de-obfuscated the code and found the following code.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"251\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img4.png\" alt=\"\" class=\"wp-image-1176\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img4.png 1600w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img4-1536x241.png 1536w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p>When we de-obfuscated it a second time, we found the following:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"79\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img5-1024x79.png\" alt=\"\" class=\"wp-image-1177\"\/><\/figure>\n\n\n\n<p>This is an iframe injection. We checked that site hxxp:\/\/limpdexa(.)com<\/p>\n\n\n\n<p>Virus Total also identifies it as a malware site. See that link here.<\/p>\n\n\n\n<p>This is also flagged as a malicious website: https:\/\/urlscan.io\/result\/2077850e-e12a-4e75-a598-a2374ffcffb3#summary (a malicious site according to Google safe browsing).<\/p>\n\n\n\n<p>A screenshot of a similar landing page.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"481\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/VT-delivers-clean-result-pdf_img6.jpg\" alt=\"\" class=\"wp-image-1179\"\/><\/figure>\n\n\n\n<p><strong>Conclusion:<\/strong><\/p>\n\n\n\n<p>We believe this is a phishing, password stealer using Adobe as the main vector, and one that is not being universally identified as can be seen by the ongoing lag in detection as reported by Virus Total.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When we checked the hash value of the file on the Virus Total website to determine whether it had been flagged as malicious, the file was present, but it&#8217;s detection rate was 0\/56. Here is that link. \u00a0We have continued to monitor and as of the latest analysis, the detection rate had increased to only 15\/56 with many of the leading antivirus tools failing to detect. We have dissected the file to look for any malicious content inside.<\/p>\n","protected":false},"author":1,"featured_media":1180,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1172"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1172\/revisions"}],"predecessor-version":[{"id":4445,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1172\/revisions\/4445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1180"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}