[SAFE DUMMY FILE - PRACIVO LAB - NOT REAL MALWARE]

Strings from fake dropper (disguised as PDF invoice):

FILE_PROPERTIES:
  - Filename: invoice_Q4_2024.pdf.exe  (double extension trick)
  - Icon: PDF icon (misleads user)
  - File size: 48KB (small loader, payload downloaded)
  - Compile time: 2024-11-15 (recent, evades old AV signatures)

SUSPICIOUS_STRINGS:
  - "http://update-cdn.winhelper.net/payload.bin"
  - "URLDownloadToFileA"  (downloads second stage)
  - "CreateProcessA"  (executes downloaded payload)
  - "WScript.Shell"
  - "Scripting.FileSystemObject"
  - "TEMP\svchost32.exe"  (payload dropped to temp folder)

OBFUSCATION_DETECTED:
  - XOR encoding with key: 0x5A
  - Strings stored reversed
  - API calls resolved dynamically at runtime (avoids static analysis)

BEHAVIOR_ON_EXECUTION:
  1. Checks internet connectivity
  2. Downloads encrypted payload from C2
  3. Decrypts payload using hardcoded key
  4. Drops to %TEMP%\WindowsUpdate.exe
  5. Executes payload
  6. Opens legitimate PDF to distract victim

ANALYSIS_NOTES:
  Droppers are stage 1. They download the real malware.
  Red flags in email attachments:
    - Double extension: file.pdf.exe
    - Wrong file icon for the extension
    - Very small file size for what it claims to be
    - Macro-enabled: file.xlsm, file.docm