I was recently alerted to an email containing an attachment named 3D PICTURE DRAWING DESIGN.pdf (SHA-256: 6657978de693874ef0b1d7491ff7ecc4066631d88b1481b19d9913d56356fd81). When opened the pdf tries to trick the user into clicking on an embedded link that leads to hxxps://filebin.net/v84mk8ucvp2m702e/3D_PICTURE_DRAWING.pif

A .pif file is typically used by older versions of Windows (from the DOS era) to store information about how to run DOS programs. However, in modern contexts, .pif files are often used to disguise executables.

Although the link was inaccessible some pivoting in VirusTotal suggested that the .pif file disguised the executable 3D PICTURE DRAWING DESIGN..pdf.exe (SHA-256: d7bd0b2562c16e5ba120a0eab297c5ec6fbe38bda36dfc7d9e34b1b5699438cc). Based on file version information, the original name of this file is cLmx.exe. The exe is flagged by a number of detection engines as behaving like Formbook malware. Formbook is an infostealer malware operating as MaaS (Malware as a service) for the affordable price of around $59 per month.

Static Analysis

cLmx.exe is identified with the signature “Microsoft Visual C# v7.0 / Basic .NET,” indicating that it was developed using Microsoft’s .NET platform, likely in C# or VB.NET, and compiled with .NET Framework 7.0 tools, suggesting it is a managed .NET assembly.

The sample is written to impersonate a legitimate program called English Helper.

Behavioural Analysis

Executing the specimen in my lab generated no useful indicators. Indeed, the process terminated itself likely because it observed it was running in a virtualised environment. Formbook is known to have well established anti-analysis techniques built into it so that explains that.

Code Analysis

At first glance it is very difficult to detect the malicious payload. The malware posseses all the attributes and methods of a language tool.

Checking other analysis out there I saw that a recent Formbook specimen had mapped a resource to memory using Assembly.Load. Looking over my sample I found what looks like something similar within a class named MainPage:

This code is definitely suspicious and could be part of the malware’s payload loading mechanism. Let’s break down why.

  • List<byte> list2; indicates that list2 is a list of bytes, which could be storing the decrypted or raw binary data of the malicious code.

  • typeof(Assembly).InvokeMember("Load, ...) is particularly telling. It is using reflection to dynamically invoke the Assembly.Load method. Instead of calling Assembly.Load directly, it’s using InvokeMember with BindingFlags.InvokeMethod to invoke it dynamically. This is often done to evade static analysis.

  • list2.ToArray() converts the List<byte> into a byte array, which is then passed to Assembly.Load. This method loads the byte array as a .NET assembly directly into memory.

  • as Assembly casts the results of the dynamic Assembly.Load into an Assembly object, allowing the program to execute code from the loaded assembly.

Anti-Analysis

This sample presents with rigorous anti-analysis techniques. There will be more to come from this blog post once I’ve been able to overcome these barriers.

IOCs

Files

  • 3D PICTURE DRAWING DESIGN.pdf - SHA-256: 6657978de693874ef0b1d7491ff7ecc4066631d88b1481b19d9913d56356fd81
  • 3D PICTURE DRAWING DESIGN..pdf.exe - SHA-256: d7bd0b2562c16e5ba120a0eab297c5ec6fbe38bda36dfc7d9e34b1b5699438cc

hxxps://filebin.net/v84mk8ucvp2m702e/3D_PICTURE_DRAWING.pif

⚡️ Enjoyed this post? Buy me a coffee… in sats! Tip me via my Lightning address: [email protected]