Supremepdfapp: Malware that's not so supreme
Technical analysis of SupremePDFApp PowerDoc malware: Chrome profile targeting, XOR config decoding, Web Data manipulation, and C2 emulation technique In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com . I went the website and downloaded the sample, now found on VirusTotal . As pointed out to me by MalasadaTech , this advertiser is based in Hong Kong, while the "company signer" is an Israel based company that is only a few days old at the time of this writing. While pivoting around on various strings, and the icon hash, I noticed that other related samples actually flagged under my powerdocapp hardcoded XOR key YARA rule . Some examples of previous variants under the old YARA rule include: PowerDoc.exe and NotAWord.ex e. This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule). Observed Obfuscated Strings string text = ...