Shares tag: macOS • Published within a month
Another PDF Viewer - Is It Malicious?
2024-10-03 • Kandji •
https://www.kandji.io/blog/another-pdf-viewer-is-it-malicious
Kandji analyzed a macOS application named OSX-PDF-Viewer after VirusTotal detections labeled it as DPRK-attributed malware and researchers noted overlap with RustBucket artifacts. The app is an ad hoc-signed Swift PDF viewer based on an old open-source project and is meant to open a specific "Investment Opportunity - Fenbushi Capital.pdf" lure that tells the user to use a dedicated viewer. The analysis follows how the viewer restricts file selection to PDFs in the Downloads folder, verifies that the chosen PDF is the expected one, and extracts encrypted embedded content. Kandji treats the case as suspicious and possibly DPRK-related, but frames the work as reverse engineering to determine whether the file is malicious rather than as confirmed attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 6c925e2a39e8312c704575af4ad7fe7… | 2024-10-03 | 2024-10-03 |
| HASH | 095184b6559bbe2e2fef999834d6905… | 2024-10-03 | 2024-10-03 |
| HASH | 37e6d18ba339b3efa5dd26e143af8bb… | 2024-10-03 | 2024-10-03 |
| HASH | 743bd4c36afdcfaff4508fd613a4f4e… | 2024-10-03 | 2024-10-03 |
Related Reports
Shares tag: macOS • Published within a week
2024-09-09 •
40% Match
#SelectivePisces
#SmoothOperator
#RustBucket
#CollectionRAT
#KANDYKORN
#ObjCShellz
#Comebacker
#SlowPisces
#JumpyPisces
#AlluringPisces
#Fullhouse
#GleamingPisces
#OdicLoader
#POOLRAT
#PondRAT
#SparklingPisces
Shares tag: RustBucket • Published within a month
Shares tag: RustBucket • Published within a month
Shares tag: RustBucket • Published within a month
Shares tag: macOS • Same author: Kandji