{ "id": "54c892f2-ee54-464b-a966-a2f87b67e0fb", "created_at": "2026-04-06T00:16:03.697113Z", "updated_at": "2026-04-10T03:23:38.766103Z", "deleted_at": null, "sha1_hash": "7553604d35c02c750512772754350b445d9ded49", "title": "Infostealer Malware with Double Extension - SANS ISC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 332260, "plain_text": "Infostealer Malware with Double Extension - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 16:50:17 UTC\r\nGot this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The\r\nattachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it\r\ncomes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning\r\nengines. \r\nUsing CyberChef Forensics -\u003e Extract Files, you can view a list of files part of the executable from the .exe, .zlib\r\nand various mp3 and png.\r\nhttps://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354\r\nPage 1 of 3\n\nSaving some of the files to review and analyze them:\r\nIndicators of Compromise\r\nhttps://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354\r\nPage 2 of 3\n\nFilename: payment_copy.pdf.z -\u003e RAR archive data\r\nSHA256: 37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b\r\nSSDEEP:\r\n12288:jiE0YCjbwMh6ny+h+n6SN/PAQDnNNTtcvCEYLPQE5FiER3RiSbhXwS:eE3K0Mh6nyU+6SOQ77lPQaFpbeS\r\nFilename: payment_copy.pdf.exe\r\nIPs: 3.232.242[.]170, 52.20.78[.]240, 54.91.59[.]199, 65.108.213[.]43, 209.197.3[.]8\r\nDomains: api.ipify[.]org, api.ipify.org.herokudns[.]com, mail.reousaomilia[.]gr, reousaomilia[.]gr,\r\nwww.inkscape[.]org\r\nSHA256: 3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492\r\n[1] https://www.virustotal.com/gui/file/37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b\r\n[2] https://www.virustotal.com/gui/file/3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492\r\n[3] https://gchq.github.io/CyberChef/\r\n-----------\r\nGuy Bruneau IPSS Inc.\r\nMy Handler Page\r\nTwitter: GuyBruneau\r\ngbruneau at isc dot sans dot edu\r\nSource: https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354\r\nhttps://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354" ], "report_names": [ "29354" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434563, "ts_updated_at": 1775791418, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7553604d35c02c750512772754350b445d9ded49.pdf", "text": "https://archive.orkl.eu/7553604d35c02c750512772754350b445d9ded49.txt", "img": "https://archive.orkl.eu/7553604d35c02c750512772754350b445d9ded49.jpg" } }