PDF IcedID Downloader

November 2, 2023

SHA256 Hash: 6e9a63ae124bdb1a0329932bdb55c1d95e5c2e0020e1627cf4c5f2342db8e1d4

Summary

When opened, this PDF document utilized in phishing campaigns will prompt the user with a clickable link stating that viewing the file requires you to download Adobe Acrobat Reader. The link connects to the URL:

hxxps://skyalarabia[.]com/utsn/?wxXOMokSqbTAoLjYCcKMJmgvsLcociGBMQAvCRCMOvFRxuHozpayBlRFWjHIbgTwCFETgsJoEqidBLdL.

This GET request will ultimately download the second stage payload containing the IcedID malware. At the time of this writing the second stage payload is unable to be attained from this URL as it is no longer in use.

Analysis

Analyzing the PDF with peepdf an object is identified containing a URI

Looking into Object 4 the malicious URL can be seen.

Opening the PDF shows the attempt to get the user to click the link under the impression they are updating Adobe Acrobat Reader.

Upon clicking the link a DNS query to skyalarabia[.]com followed by the GET request is seen. This GET request ultimately would contain the second stage payload IcedID.

IOCs

HA256 File Hash:

6e9a63ae124bdb1a0329932bdb55c1d95e5c2e0020e1627cf4c5f2342db8e1d4

Files:

Ev.pdf

HTTP Requests:

hxxps://skyalarabia[.]com/utsn/?wxXOMokSqbTAoLjYCcKMJmgvsLcociGBMQAvCRCMOvFRxuHozpayBlRFWjHIbgTwCFETgsJoEqidBLdL

DNS:

skyalarabia[.]com