Blogpost/LazyScripter at main · SrujanKumar-K/Blogpost
By SrujanKumar-K
Archived: 2026-04-05 22:26:34 UTC
Malicious PDF Document Analysis - Lazyscripter
File-information
LazyScripter is a threat group that has mainly targeted the airlines industry since at least 2018, primarily using
open-source toolsets 1 
2
. The threat actor gained initial access using malicious PDF, here are the details.
Md5: 62610680349de97db658a7d41fc9a9b8 available in Any Run
File Type: PDF
Work-flow
graph TD;
 PDF --> Downloads_ZIP --> BatchScript --> Powershell --> CnC;
Analysis
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 1 of 7

Stage1
We can extract PDF properties using "PDFID" tool and below snip shows that it has "embedded /URI" content.
With the help of "pdf-parser" these URL can be extracted. The Malicious PDF file pretends to be a fake patch
installation. The embedded link downloads password protected ZIP file and the password is hardcoded in PDF
file.
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 2 of 7

Stage2
The unzipped file containing two batch scripts named it as "SecurityDsp.bat & SSLCertificate.bat", both having
identical contents with MD5 as "20e9e2e20425f5b89106f6bbace5381d"
The code is heavily obfuscated to evade the AV detection as below.
Encoded
After replacing the each "SET" variables with the corresponding char and doing one more replacement in
Cyberchef results a clean and readable code. The entire code is available in below dropdown section.
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 3 of 7

Decoded
The decoded payload has capable of disabling multiple security features built in Defender, setting persistence
using Registry Keys and Scheduled Taks and also downloading next stage payload from mentioned URLs.
1. hxxp[://]hpsj[.]firewall-gateway[.]net:80/hpjs[.]php
2. hxxp[://]hpsj[.]firewall-gateway[.]net:443/uddiexplorer
Final-Stage
The final payload downloaded from above 1st URL is scripted in Powershell and steals user's info such as
(HostName, UserName, OS Architecture (32/64) & Verion, AD-Domain, System IP, Admin-check, enumerating
all running process etc..) All these data are encrypted with AES-CBC and sent over to C2 server.
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 4 of 7

The response from C2 server is also an AES encrypted content and for reference the returned value
"LquqiDE9NWlWMN6NCrXeJg==" (extracted from Anyrun) is decoded to be "False". Following CyberChef
recipe can be used to decode the commands.
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 5 of 7

Based on decoded value, the corresponding code block is going to be executed.
2nd URL is also acting as a dropper and downloads payload using powershell cmdlet.After de-obfuscating several
stages, the final payload has also similar behaviour of stealing functionalities as mentioned earlier.
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 6 of 7

IOC
Description URL/Hash
PDF 62610680349de97db658a7d41fc9a9b8
ZIP (Dropper) hxxp[://]128[.]199[.]7[.]40/PATCH%20CVE00456-2022[.]zip
Batch Script 20e9e2e20425f5b89106f6bbace5381d
URL_Dropper_1 hxxp[://]hpsj[.]firewall-gateway[.]net:80/hpjs[.]php
URL_Dropper_2 hxxp[://]hpsj[.]firewall-gateway[.]net:443/uddiexplorer
C2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/operation
C2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/proxy
C2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/publish
C2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/publishing
C2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:80/messages
References
Footnotes
1. https://attack.mitre.org/groups/G0140/ ↩
2. https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf ↩
Source: https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter
Page 7 of 7

  https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter    
The response from C2 server is also an AES encrypted content and for reference the returned value
"LquqiDE9NWlWMN6NCrXeJg=="  (extracted from Anyrun) is decoded to be "False". Following CyberChef
recipe can be used to decode the commands.    
   Page 5 of 7