⚠️ Pracivo Security Lab — All samples are COMPLETELY SAFE text files. No real malware. For learning static analysis techniques only.
> invoice_Q4_2024.pdf.exe.txt — Strings Output
Dropper / Loader
[SAFE — TEXT ONLY]
[SAFE DUMMY FILE - PRACIVO LAB - NOT REAL MALWARE]
Strings from fake dropper (disguised as PDF invoice):
FILE_PROPERTIES:
- Filename: invoice_Q4_2024.pdf.exe (double extension trick)
- Icon: PDF icon (misleads user)
- File size: 48KB (small loader, payload downloaded)
- Compile time: 2024-11-15 (recent, evades old AV signatures)
SUSPICIOUS_STRINGS:
- "http://update-cdn.winhelper.net/payload.bin"
- "URLDownloadToFileA" (downloads second stage)
- "CreateProcessA" (executes downloaded payload)
- "WScript.Shell"
- "Scripting.FileSystemObject"
- "TEMP\svchost32.exe" (payload dropped to temp folder)
OBFUSCATION_DETECTED:
- XOR encoding with key: 0x5A
- Strings stored reversed
- API calls resolved dynamically at runtime (avoids static analysis)
BEHAVIOR_ON_EXECUTION:
1. Checks internet connectivity
2. Downloads encrypted payload from C2
3. Decrypts payload using hardcoded key
4. Drops to %TEMP%\WindowsUpdate.exe
5. Executes payload
6. Opens legitimate PDF to distract victim
ANALYSIS_NOTES:
Droppers are stage 1. They download the real malware.
Red flags in email attachments:
- Double extension: file.pdf.exe
- Wrong file icon for the extension
- Very small file size for what it claims to be
- Macro-enabled: file.xlsm, file.docm
[download-file]