PDF Goes Super Nova!
Analyzing PDFSupernova has been interesting, this is, at the time of this writing, a fully undetected browser hijacker. There also appears to be some information stealing/gathering capabilities.
When I first looked at this last week, I set it aside since I was already looking at SystemShock Loader. This sample had some glaring red flags, at first glance I thought it was most likely a PUP .
Red Flags
- A ~50MB file really results in what looks to be just a desktop shortcut to a pdf conversion website.
- The "installer" takes focus of the screen, not allowing the user to interact with other tools or the desktop.
- YAPA (Yet Another PDF APP), I'll work on that acronym.
- Strings show what appears to be .NET code in parts of the file, but do not load as .NET in dnspy or decompress .NET binaries using 7Zip.
- A recent sandbox run shows a lot of interesting indicators
- Finds chrome.exe and performs taskkill
- novaserv[.]vanmirop.com/api/v1/van contains the Web Data file (SQLite file)
- api.vanderconf[.]com/api/v1/message contians ICO, and code to find and kill chrome process
My Ongoing Analysis
My own analysis of this file doesn't really turn up much more than what the sandbox and virustotal provide. I observed the 3 DLL files being dropped, which can be seen in the sandboxes as well.
Algorithm : MD5
Hash : 11A4A07F31E4A91FFF678C019B7736AF
Path : pdfsupernova\Jaf36KMCn_cwdNfe6bGTyrolscwl21E=\av_libglesv2.dll
These seem to be legit files, possibly used for PDF dependencdies per this OpenTap forum posting. So, zero detections for a month on VirusTotal, some likely clean DLLs, and a desktop link. What am I to make of this? Well, I did notice another file in my AppData\Local\Temp directory, and this was a "Web Data" file. Which is a SQLite chromium based profile data file that stores auto-fill information, login details, and more. Hash : 11A4A07F31E4A91FFF678C019B7736AF
Path : pdfsupernova\Jaf36KMCn_cwdNfe6bGTyrolscwl21E=\av_libglesv2.dll
Algorithm : MD5
Hash : E0C86BBD88D6B8F5643C1AB1C050A4EE
Path : pdfsupernova\Jaf36KMCn_cwdNfe6bGTyrolscwl21E=\libHarfBuzzSharp.dll
Algorithm : MD5
Hash : EF1FABCE43FE32CA83260481253F5476
Path : pdfsupernova\Jaf36KMCn_cwdNfe6bGTyrolscwl21E=\libSkiaSharp.dll
Update on the dlls listed above:
The are likely being used because this EXE uses AvaloniaUI, and as listed on this reddit post, these are dlls used for Avalonia.
I figured at this point it probably overwrote my own Chrome profile "Web Data" file. I was right. I created a fresh profile with the default web data file, and compared that to the web data file after I ran pdfsupernova.exe. Sure enough, it overwrote me file with the one that was found in temp.Here's a look at that file.
It's interesting that there are multiple financial institutions referenced, additionally the keywords table contains the interesting filters for the vanmirop[.]com site.
I found that vanmirop hijacks my searches when using the address bar on my browser. Here is a listing of sites/redirects I observed before the search parameter finally passed off to a legit search engine (Yahoo).
withgoogle[.]com
van.vanmirop[.]com
eusrchrdr[.]com
undertone[.]com
cdn.searchontec[.]com
sync.cootlogix[.]com
os.gotosearch[.]co
Avalonia
C:\Users\JohnnyD\Supernova TO\obj\Release\net8.0\win-x64\Supernova.pdb
agree to set my default search settings to vanmirop and I agree to thePrivacyand
So, my address bar has been hijacked, and some interesting form fill information has been added with specifics to banking and credential logins. This smells like a bit of browser hijacking with a mix of credential stealing cpabilities to me. A large theme lately continues, beware of free PDF and Converter applications.
van.vanmirop[.]com
eusrchrdr[.]com
undertone[.]com
cdn.searchontec[.]com
sync.cootlogix[.]com
os.gotosearch[.]co
Avalonia
C:\Users\JohnnyD\Supernova TO\obj\Release\net8.0\win-x64\Supernova.pdb
agree to set my default search settings to vanmirop and I agree to thePrivacyand
Certificate information:
Subject: CN=Trivolead LTD, O=Trivolead LTD, L=Tel Aviv-Yafo, C=IL, SERIALNUMBER=517161592, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
ProcMon
Updates:
November 8, 2025: Malasada Tech has written a fantastic article on a related sample: PDFChampions.
Inspired by this, I went back and reviewed the .NET code being passed from the server side from PDFSupernova. Here are the .NET code samples:
I have to note that none of the .NET code I observed in my sample (at least not so far), has the same kind of loader code that Malasada Tech had observed.
11/19/2025: Today I observed a new variant PrimePDFConvert that not only hijacks the Web Data file (search hijack points to api[.]fuzzsearch[.]com), but also drops a scheduled task for persistence. The full write-up:
11/24/2025: Thanks to Squiblydoo for pointing me to dotnetdebloat I was able to extract Supernova.dll from the executable.
A note on IOCs:
I'm including some of the responses I received from the exe running. These show the "loading page", the download of the icon file, the Web Data file, and the code that ultimately find chrome, kills the task, then copies the new Web Data file from AppData\Local\Temp to the chrome profile. I also included 1 of the redirect JS responses from hijacked chrome search when using chrome post infection.
Related IOCs / Hashes
| File | SHA-256 |
|---|---|
| pdfsupernova | 438bffa2420a6a0a17344135160c635d16c029d267d441de539fd45f5c17f551 |
| pdfsupernova | ccfa3fd8900bebd034cb623e77f108c77a31acd306f5bf58d6f5d8ea4d24d38a |
| Web Data file | 9b1df83a0a682c009d1a4ddb3adc4aef5e4ba7c9cc84c5b3f76fbe9f524291df |
| searchontec JS | ee192a604a418083506c1eaab20c4207981e409fefdc60c78c355a390ca684c6 |
| Initial Check-in Response | 08c7454f5f048036b9b3f1c0dc99e2756e2a276d9619b5f8c85218784a442195 |
| vanderconf response 1 | 6b1f704d9f03ff5026e37dec0d80092e5d903105dd3714ad5bd0fc6f93d2251c |
| vanderconf response 2 | d689067a2aebd03c99c26f4639e9676d9295133c93c63f643de9504dc9b7e2ed |
| vanderconf response 3 | 69b93639318eef25ca3d9ebe2946e47793a7c8fd50d93851d8f7cc85ae4df1f6 |
| vanderconf response 4 | c23dd95a49671299e12d71893cd9540563731c416714e884fcf78b8f34ab6cf4 |
Comments
Post a Comment