{ "id": "1a1f2aca-d30c-4f10-b47f-634fe4e2edc3", "created_at": "2026-04-06T00:18:03.088061Z", "updated_at": "2026-04-10T13:12:43.337874Z", "deleted_at": null, "sha1_hash": "4151d37ea84f8df6864822d5cf1c6d6116cd0120", "title": "TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 309946, "plain_text": "TA505 Abusing SettingContent-ms within PDF files to Distribute\r\nFlawedAmmyy RAT | Proofpoint US\r\nBy July 19, 2018 Proofpoint Staff\r\nPublished: 2018-07-19 · Archived: 2026-04-02 11:11:03 UTC\r\nOverview\r\nThreat actors regularly introduce novel vectors for distributing malware and especially prize those that allow code\r\nand command execution with minimal user interaction. Colleagues at SpecterOps recently published research[1]\r\non abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain\r\nWindows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file\r\nformats. Specifically, this file format currently allows execution of commands such as cmd.exe and PowerShell\r\nwithout prompts or user interaction.\r\nSince the original publication of this approach, Proofpoint researchers have observed a number of actors -- “early\r\nadopters” -- abusing this file format by embedding it inside Microsoft Word and PDF documents. While the\r\ncombination of the technique with the Microsoft Word container was described in the initial research, embedding\r\ninside PDFs has not been documented and likely originated with another source.\r\nCampaign Description\r\nWe first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we\r\nobserved a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF\r\nattachments with an embedded SettingContent-ms file. The messages in the campaign used a simple lure asking\r\nthe user to open the attached PDF (Figure 1).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat\r\nPage 1 of 4\n\nFigure 1: Example message used to deliver the malicious PDF\r\nWhen opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file, since it is\r\nattempting to run the embedded “downl.SettingContent-ms” via JavaScript. Note that this prompt would be\r\ndisplayed for any file format embedded within a PDF, and is not caused by the SettingContent-ms file itself\r\n(Figure 2).\r\nFigure 2: Adobe Reader presenting the user with a prompt to open the SettingContent-ms file\r\nIf the intended victim clicks the “OK” prompt to open the file, Windows would then run the SettingContent-ms\r\nfile and the PowerShell command contained within the “DeepLink” element (Figure 3), which leads to the\r\ndownload and execution of the FlawedAmmyy RAT.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat\r\nPage 2 of 4\n\nFigure 3: The SettingContent-ms file that contains the malicious PowerShell command\r\nAttribution\r\nThis campaign is noteworthy because we attribute it with high confidence to a financially motivated actor we refer\r\nto as TA505 [3,4]. TA505 tends to operate at very large scale and sets trends among financially motivated actors\r\nbecause of their reach and campaign volumes. Our attribution is based on email messages, as well as payload and\r\nother identifying characteristics.\r\nConclusion\r\nWhether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and\r\napproaches when malware authors and researchers publish new proofs of concept. While not all new approaches\r\ngain traction, some may become regular elements through which threat actors rotate as they seek new means of\r\ndistributing malware or stealing credentials for financial gain. In this case, we see TA505 acting as an early\r\nadopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale. We\r\nwill continue to monitor ways in which threat actors use this approach in the weeks to come.\r\nReferences\r\n[1] https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\r\n[2] https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\n[3] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\n[4] https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat\r\nPage 3 of 4\n\nIOC\r\nIOC\r\nType\r\nDescription\r\n0a4f3f9acc61b85183108a31a306115fe34b571240da70920f0a1425fc32c3de SHA256\r\nPDF\r\nAttachment\r\n61b1dc4d69730dd83f7ef38dd01012fd3487a4db9eb52b024209967093ae180d SHA256\r\nFlawedAmmyy\r\nLoader\r\n56f1ab4b108cafcbada89f5ca52ed7cdaf51c6da0368a08830ca8e590d793498 SHA256\r\nFlawedAmmyy\r\nRAT\r\nhxxp://169.239.128[.]164/tov URL\r\nURL used to\r\ndownload\r\nFlawedAmmyy\r\nLoader\r\nhxxp://169.239.128[.]164/sd87f67ds5gs7d5fs7df URL\r\nURL used to\r\ndownload the\r\n2nd Stage\r\nFlawedAmmyy\r\nRAT\r\n169.239.128[.]150:443\r\nIP +\r\nPort\r\nFlawedAmmyy\r\nRAT C\u0026C\r\nET and ETPRO Suricata/Snort/ClamAV Signatures\r\n2025408 || ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" ], "report_names": [ "ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4151d37ea84f8df6864822d5cf1c6d6116cd0120.pdf", "text": "https://archive.orkl.eu/4151d37ea84f8df6864822d5cf1c6d6116cd0120.txt", "img": "https://archive.orkl.eu/4151d37ea84f8df6864822d5cf1c6d6116cd0120.jpg" } }