This lab focuses on analyzing a suspicious PDF file suspected of being part of a targeted malware campaign. The file exhibits behaviors indicative of advanced threat actor tactics, including embedded JavaScript code, obfuscated payloads, and in-memory code injection techniques. Based on initial indicators, the malware appears to leverage capabilities often associated with state-sponsored groups. The investigation explores the PDF’s internal structure, uncovering layers of obfuscation designed to evade detection and deliver a second-stage payload.
The analysis begins with a forensic examination of the PDF structure using PDFWalker, where embedded JavaScript is identified as a potential trigger for malicious activities. Further decoding of the compressed script reveals references to Windows APIs to perform process injection. By extracting and analyzing the binary payload embedded in the PDF, the investigation uncovers evidence of a Portable Executable (PE) file. This discovery leads to reverse engineering efforts using tools like Ghidra, which expose the malware’s network communications and its ability to download and execute additional malicious code.
Key findings include the identification of a Command-and-Control (C2) server URL and the use of Windows API calls to manipulate memory, read HTTP responses, and save the payload to disk. Through reverse engineering, we track the malware’s operations step-by-step, revealing how it stages its attack by injecting code into memory and executing it covertly.
This w