lazarusholic

Everyday is lazarus.dayβ

Another PDF Viewer - Is It Malicious?

2024-10-03, Kandji
https://www.kandji.io/blog/another-pdf-viewer-is-it-malicious
#macOS #RustBucket

Contents

Another PDF Viewer - Is It Malicious?
For security researchers, sometimes spending time reversing a potential suspicious file does not result in it being malicious. There is always something to learn from these efforts, and sometimes they can result in an interesting story even if it does not result in malware. I considered not writing this up but decided (with some help from friends) to release this as an article that details the process of trying to determine if something is malicious.
This is one such story that details a PDF that requires a specific PDF viewer application in order to open and extract an encrypted embedded PDF to display to the user, definitely a little strange.
On September 17, 2024, MalwareHunterTeam (@malwrhunterteam) on Twitter/X shared a hash for a file named OSX-PDF-Viewer
that was being detected as another DPRK (North Korea) attributed malware by several vendors on VirusTotal. They posed the question if …

IoC

743bd4c36afdcfaff4508fd613a4f4eee71d2e0bc5a31deb1c170d1039c953ae
095184b6559bbe2e2fef999834d6905708ae254064193540d051f8c23910dfa6
6c925e2a39e8312c704575af4ad7fe75f161e73f92ffda6b9abd3663b6c789d4
37e6d18ba339b3efa5dd26e143af8bbeb8eefabbc4cfab72e6150e3bc3290b31
https://github.com/PatrickSkinner/OSX-PDF-Viewer