{
	"id": "3b434466-1f83-49a7-bda5-3480169254a8",
	"created_at": "2026-04-06T00:13:47.630574Z",
	"updated_at": "2026-04-10T03:23:52.171172Z",
	"deleted_at": null,
	"sha1_hash": "a15a07b7e28ec72a68683d3f6f5900257a528d5c",
	"title": "PDF Malware Is Not Yet Dead | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 759886,
	"plain_text": "PDF Malware Is Not Yet Dead | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2022-05-20 · Archived: 2026-04-05 15:52:32 UTC\r\nFor the past decade, attackers have preferred to package malware in Microsoft Office file formats, particularly\r\nWord and Excel. In fact, in Q1 2022 nearly half (45%) of malware stopped by HP Wolf Security used Office\r\nformats. The reasons are clear: users are familiar with these file types, the applications used to open them are\r\nubiquitous, and they are suited to social engineering lures.\r\nIn this post, we look at a malware campaign isolated by HP Wolf Security earlier this year that had an unusual\r\ninfection chain. The malware arrived in a PDF document – a format attackers less commonly use to infect PCs –\r\nand relied on several tricks to evade detection, such as embedding malicious files, loading remotely-hosted\r\nexploits, and shellcode encryption.\r\nFigure 1 – Alert timeline in HP Wolf Security Controller showing the malware being isolated.\r\nPDF Campaign Delivering Snake Keylogger\r\nA PDF document named “REMMITANCE INVOICE.pdf” was sent as an email attachment to a target. Since the\r\ndocument came from a risky vector – email, in this case – when the user opened it, HP Sure Click ran the file in an\r\nisolated micro virtual machine, preventing their system from being infected.\r\nAfter opening the document, Adobe Reader prompts the user to open a .docx file. The attackers sneakily named\r\nthe Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name\r\nwas part of the Adobe Reader prompt (Figure 2).\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 1 of 10\n\nFigure 2 – PDF document prompting the user to open another document.\r\nAnalyzing the PDF file reveals that the .docx file is stored as an EmbeddedFile object. Investigators can quickly\r\nsummarize the most important properties of a PDF document using Didier Stevens’ pdfid script (Figure 3).\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 2 of 10\n\nFigure 3 – PDFiD analysis of document.\r\nTo analyze the EmbeddedFile, we can use another tool from Didier Stevens’ toolbox, pdf-parser. This script\r\nallows us to extract the file from the PDF document and save it to disk.\r\nFigure 4 – Using pdf-parser to save embedded file to disk.\r\nEmbedded Word Document\r\nIf we return to our PDF document and click on “Open this file” at the prompt, Microsoft Word opens. If Protected\r\nView is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the\r\ncontext of the open document.\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 3 of 10\n\nFigure 5 – Word document contacting web server.\r\nSince Microsoft Word does not say which server it contacted, we can use Wireshark to record the network traffic\r\nand identify the HTTP stream that was created (Figure 6).\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 4 of 10\n\nFigure 6 – HTTP GET request returning RTF file.\r\nLet’s switch back to the Word document to understand how it downloads the .rtf. Since it is an OOXML (Office\r\nOpen XML) file, we can unzip its contents and look for URLs in the document using the command shown in\r\nFigure 7.\r\nFigure 7 – List of URLs in the Word document.\r\nThe highlighted URL caught our eye because it’s not a legitimate domain found in Office documents. This URL is\r\nin the document.xml.rels file, which lists the document’s relationships. The relationship that caught our eye shows\r\nan external object linking and embedding (OLE) object being loaded from this URL (Figure 8).\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 5 of 10\n\nFigure 8 – XML document relationships.\r\nExternal OLE Object\r\nConnecting to this URL leads to a redirect and then downloads an RTF document called f_document_shp.doc. To\r\nexamine this document more closely, we can use rtfobj to check if it contains any OLE objects.\r\nFigure 9 – RTFObj output showing two OLE objects.\r\nHere there are two OLE objects we can save to disk using the same tool. As indicated in the console output, both\r\nobjects are not well-formed, meaning analyzing them with oletools could lead to confusing results. To fix this, we\r\ncan use foremost to reconstruct the malformed objects. Then we can view basic information about the objects\r\nusing oleid. This tells us the object relates to Microsoft Equation Editor, a feature in Word that is commonly\r\nexploited by attackers to run arbitrary code.\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 6 of 10\n\nFigure 10 – Basic OLE information extracted with oleid.\r\nEncrypted Equation Editor Exploit\r\nExamining the OLE object reveals shellcode that exploits the CVE-2017-11882 remote code execution\r\nvulnerability in Equation Editor. There are many analyses of this vulnerability, so we won’t analyze it in detail.\r\nInstead we focus below on how the attacker encrypted the shellcode to evade detection.\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 7 of 10\n\nFigure 11 – Shellcode that exploits CVE-2017-11882.\r\nThe shellcode is stored in the OLENativeStream structure at the end of the object. We can then run the shellcode in\r\na debugger, looking for a call to GlobalLock. This function returns a pointer to the first byte of the memory block,\r\na technique used by shellcode to locate itself in memory. Using this information, the shellcode jumps to a defined\r\noffset and runs a decryption routine.\r\nFigure 12 –\r\nMultiplication and addition part of decryption routine.\r\nThe key is multiplied by a constant and added at each iteration. The ciphertext is then decrypted each time with an\r\nXOR operation. The decrypted data is more shellcode, which is executed afterwards.\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 8 of 10\n\nFigure 13 –\r\nDecrypted shellcode presenting the payload URL.\r\nWithout running it further, we see that the malware downloads an executable called fresh.exe and runs it in the\r\npublic user directory using ShellExecuteExW. The executable is Snake Keylogger, a family of information-stealing\r\nmalware that we have written about before. We can now extract indicators of compromise (IOCs) from this\r\nmalware, for example using dynamic analysis. At this point, we have analyzed the complete infection chain and\r\ncollected IOCs, which can now be used for threat hunts or building new detections.\r\nConclusion\r\nWhile Office formats remain popular, this campaign shows how attackers are also using weaponized PDF\r\ndocuments to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just\r\nthree techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for\r\nattackers.\r\nIOCs\r\nREMMITANCE INVOICE.pdf\r\n05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d\r\nhas been verified. however pdf, jpeg, xlsx, .docx\r\n250d2cd13474133227c3199467a30f4e1e17de7c7c4190c4784e46ecf77e51fe\r\nf_document_shp.doc\r\n165305d6744591b745661e93dc9feaea73ee0a8ce4dbe93fde8f76d0fc2f8c3f\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 9 of 10\n\nf_document_shp.doc_object_00001707.raw\r\n297f318975256c22e5069d714dd42753b78b0a23e24266b9b67feb7352942962\r\nExploit shellcode\r\nf1794bfabeae40abc925a14f4e9158b92616269ed9bcf9aff95d1c19fa79352e\r\nfresh.exe (Snake Keylogger)\r\n20a3e59a047b8a05c7fd31b62ee57ed3510787a979a23ce1fde4996514fae803\r\nExternal OLE reference URL\r\nhxxps://vtaurl[.]com/IHytw\r\nExternal OLE reference final URL\r\nhxxp://192.227.196[.]211/tea_shipping/f_document_shp.doc\r\nSnake Keylogger payload URL\r\nhxxp://192.227.196[.]211/FRESH/fresh.exe\r\nSnake Keylogger exfiltration via SMTP\r\nmail.saadzakhary[.]com:587\r\nSource: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nhttps://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/"
	],
	"report_names": [
		"pdf-malware-is-not-yet-dead"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a15a07b7e28ec72a68683d3f6f5900257a528d5c.pdf",
		"text": "https://archive.orkl.eu/a15a07b7e28ec72a68683d3f6f5900257a528d5c.txt",
		"img": "https://archive.orkl.eu/a15a07b7e28ec72a68683d3f6f5900257a528d5c.jpg"
	}
}