This post was originally published on this site

Introduction This research began with finding a simple malware sample to extract strings for an unrelated topic. In my day-to-day malware analysis workflow, I stumbled upon a JavaScript (JS) file with what I would call trivial obfuscation. I knew it was malware but wanted to understand the infection chain. After some cleanup, I understood it to be a downloader of an additional malicious script. This time, a PowerShell script obscured to look like a PDF hosted on what appeared to be a compromised or hijacked domain. This PDF dropped two files, one being a helper DLL and the other being AsyncRAT

More information can be read at our partner's website:

WatchGuard Secplicity