{
	"id": "5eccbdbe-1fa6-4774-9034-e2bb23e4a9ce",
	"created_at": "2026-04-06T01:32:33.283895Z",
	"updated_at": "2026-04-10T03:21:52.184365Z",
	"deleted_at": null,
	"sha1_hash": "633867972c12633edf196d64e72298525097dab6",
	"title": "PDF Analysis of Lokibot malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 563316,
	"plain_text": "PDF Analysis of Lokibot malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2022-07-25 · Archived: 2026-04-06 01:11:09 UTC\r\n4 minute read\r\nAs-salamu Alaykum\r\nIntroducionPermalink\r\nThis sample is from Lokibot trojan which steals the credential information from web browsser, FTP server, SMTP\r\nserver. This sample is a PDF file and our purpose of this blog is how to analyze a PDF file.\r\nAbout PDFPermalink\r\nAbility of a PDF filePermalink\r\nA PDF file can impelemnt droppers, downloader, or exploit PDF reader application’s vulnerabilities.\r\nPDF sttucturePermalink\r\nPDF header: Contains info about the version of the PDF such as %PDF-1.6\r\nBody:\r\nStreams: a sequence of bytes such as images or data, which comes in encoded data.\r\nObjects: How to render documanets which can include text or javascript.\r\nOthers such as names, dictionaries, strings, and arrays.\r\nCross-reference table: contains the offsets of file’s objects.\r\nTrailer: contains the offset of xref table, and number of objects, /Root.\r\nDictionary entry is an item between « » and starts with slash / such as /Root which is the first object will be\r\nprocessed after loading the PDF file, /Root could be found in the Trailer section.\r\nSuspecious keywords found when analyzing and their indications:\r\n/Js, /JavaScript: To execute embedded javascript\r\n/Launch, /EmbeddedFiles: To launch exeternal or embedded files\r\n/URI: To interact with URLs\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 1 of 6\n\n/OpenAction, /AA: To open an action\r\n/FlateDecode: uses the zlib/deflate decompression method.\r\nA comment in PDF starts with %\r\nAbout objects:\r\nobj 1 0: % first number is ID, second number is version\r\ntype: catalog % catalog is an example, type can be empty.\r\nReferencing: 3 0 R % object 1 0 refernces to 3 0, R indicates of referencing\r\n........ % content of the object\r\nendobj % the object ends with\r\nFor more info aboud PDF see this.\r\nMethodologyPermalink\r\nuse pdfid.py or peepdf.py:\r\nto perform an initial assessment by summarizing risky aspects\r\npdf-parser.py:\r\nto locate objects in file.pdf that include JavaScript\r\nto examine the contents of objects\r\nto decode the stream embedded from object\r\nto extract only the list of URL\r\nFollow object referencing to find the goal.\r\nIf you use peepdf.py and found that it has /EmbeddedFiles, start analyzing the object where is /EmbeddedFiles\r\nbelongs to.\r\nIf you find /FlateDecode, go and try to analyze it which decodes stream.\r\nPDF analysisPermalink\r\nIn this sample, We received a malicious PDF file which downloads Lokibot malware. So we need to start our\r\nanalysis quickly using REMnux.\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 2 of 6\n\nWe first use pdfid.py to get info about the PDF and what is there. As we see, it has 8 streams and 1\r\n/EmbeddedFiles and 0 javascript files. We can use peepdf.py to get which object contains the /EmbeddedFiles\r\nbut an error occured running.\r\nFigure(1): pdfid.py output\r\nSo we will use pdf-parser.py and to get our embedded file. We see many objects, Then start with objects which\r\ncontains /FlateDecode and if we found /EmbeddedFiles go for it.\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 3 of 6\n\nFigure(2): pdf-parser.py output\r\nAfter scrolling down, we see object 12 conatins /FlateDecode. We try to decode it and dumping using\r\nFigure(3): After dumping the object 12\r\nIf we use file command to see its type, it’s an ASCII text. Then we open file12 using scite we it’s useless.\r\nSome objects are useles, it takes time to find the peyload. We examine another object. When we get to object 22 ,\r\nwe our /EmbeddedFiles which is an indicator to that the PDF launches embedded file which has big length. Dump\r\nit to file22 to see it’s content and its type. After that we use file command, we notice that it’s Composite\r\nDocument File V2 Document CFBF is a compound document file format for storing numerous files and streams\r\nwithin a single file on a disk. In our case, this PDF stores an XLS file.\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 4 of 6\n\nFigure(4): After dumping the object 22 and it's an xls excel spreadsheet\r\nIf we uploaded file22 to Virustotal we will find it already uploaded and it’s malicous. Our purpose is to get the\r\nmain payload and that’s it.\r\nFigure(5): Virustotal analysis of xls dumped from PDF\r\nDynamic analysisPermalink\r\nWe will open FlareVM which has our installed tools. We need to install PDF reader such as Foxit reader, and\r\nMicrosoft office.\r\nFirst, open fakenet-ng , if the malicious PDF tries to connect and download from internet, this PDF sample\r\nopens an xls spredsheet.\r\nThen open the PDF. In foxit reader, disable safe mode and run the malicious PDF in privilage mode.\r\nWe open Attachments , we see there’s an attachment which will be our xls spredsheet file. You can open it\r\nmanually. Double click on it and allow to open it. Then it will open an xls excel spredsheet. Save this attachment\r\non your Desktop from foxit reader as shown.\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 5 of 6\n\nFigure(6): When opening the PDF\r\nIoCsPermalink\r\nPDF file: da9c3deb08bfc6a2e7930a4c8f1bd81b5ebffbb09b44027c74ea41ebf7149f8b\r\nxls sheet: 825b7a64db82a61656c8004bef49823d5b9fe4f52fae744f5dc927b3e75a994b\r\nArticle quotePermalink\r\nإلهي ، ماذا وجد من فقدك وما الذي فقد من وجدك\r\nREFPermalink\r\nhybrid-analysis\r\nSource: https://muha2xmad.github.io/mal-document/lokibotpdf/\r\nhttps://muha2xmad.github.io/mal-document/lokibotpdf/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://muha2xmad.github.io/mal-document/lokibotpdf/"
	],
	"report_names": [
		"lokibotpdf"
	],
	"threat_actors": [],
	"ts_created_at": 1775439153,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/633867972c12633edf196d64e72298525097dab6.pdf",
		"text": "https://archive.orkl.eu/633867972c12633edf196d64e72298525097dab6.txt",
		"img": "https://archive.orkl.eu/633867972c12633edf196d64e72298525097dab6.jpg"
	}
}