PDF Campaign Delivering Snake Keylogger


HP Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.

Most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code. PDFs choices are unusual.

Embedding Word in PDFs

In a campaign seen by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice,” and When the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which looks strange and might confuse the victim.

Threat actors named the embedded document “has been verified,” the Open File prompt below states, “The file ‘has been verified.” This message could trick recipients into believing that Adobe verified the file as legitimate and that the file is safe to open.

Source: HP

Analyzing the PDF file reveals that the .docx file is stored as an embedded file object.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

If we return to our PDF document and click on “Open this file” at the prompt, Microsoft Word opens. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document.

Source: HP

The download of the RTF is the result of the following command, embedded in the Word file along with the hardcoded URL “vtaurl[.]com/IHytw”, which is where the payload is hosted.

URL that hosts the RTF file ( HP )

Exploiting old RCE

The RTF document is named “f_document_shp.doc” and contains malformed OLE objects, likely to evade analysis. After some targeted reconstruction, HP’s analysts found that it attempts to abuse an old Microsoft Equation Editor vulnerability to run arbitrary code.

Decrypted shellcode presenting the payload (HP)

The deployment of shellcode exploits CVE-2017-11882, a remote code execution bug in Equation Editor fixed in November 2017 but still available for exploitation in the wild. while the slow patching that followed resulted in it becoming one of the most exploited vulnerabilities in 2018.

Also Read: Latest Cyber Security News – Hacker News !

By exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.



has been verified. however pdf, jpeg, xlsx, .docx



Exploit shellcode

fresh.exe (Snake Keylogger)

External OLE reference URL

External OLE reference final URL

Snake Keylogger payload URL

Snake Keylogger exfiltration via SMTP

Source/Credits: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#

Previous articleMalicious Pymafka Drops Cobalt Strike on macOS, Windows and Linux
Next articleSplunk Commands – BIN and its Arguments
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here