Post cover image

June 3, 2026

Behind the Job Description: Unpacking the Hidden Malware Framework (Part 2)

Author: Siva Sankar Category: Malware Analysis | Threat Hunting | Social Engineering Date: June 2026

Sivasankar Das

4 min read

Introduction

In Part 1, we analyzed a recruitment-themed delivery chain that leveraged LinkedIn, Google Forms, Dropbox, and Microsoft-signed software components.

At first glance, the downloaded package appeared legitimate. The primary executable was digitally signed by Microsoft and contained references to Microsoft Word.

However, several hidden files discovered inside the archive remained unexplained.

This phase of the investigation focuses on those files and documents how the true malware framework was uncovered.

Discovery of Hidden Components

After safely extracting the package, I enumerated all files within the archive.

find extracted -type f

The following files immediately stood out:

setup.dat
REDTEAMVN.pdf
zhen.mkv
pythonw.exe
python310.dll
python310.zip
job&products_Apex_Logistics_Group.docx

These files appeared unusual for a normal recruitment package.

None

Figure 10: Additional files discovered during archive enumeration.

File Type Verification

To determine whether the filenames accurately reflected their contents, file identification was performed.

file _/*

The results revealed several disguised files.

REDTEAMVN.pdf

Expected:

PDF document

Actual:

7z archive

zhen.mkv

Expected:

Video file

Actual:

PE32 executable

This indicated that multiple files had been intentionally disguised.

None

Figure 11: File identification results showing disguised content.

Analysis of zhen.mkv

Further metadata analysis revealed:

exiftool zhen.mkv

Interesting findings:

Original File Name : 7zr.exe
Product Name       : 7-Zip
Company            : Igor Pavlov

The file was not a media file at all.

Instead, it was a renamed version of:

7zr.exe

A standalone 7-Zip extraction utility.

None

Figure 12: Metadata proving that zhen.mkv was actually 7zr.exe.

This explained how the malware later extracted hidden payloads without requiring a local 7-Zip installation.

Discovery of the Loader Script

The most significant discovery during this stage was:

setup.dat

Although the extension suggested a configuration file, opening it revealed Python code.

cat setup.dat
None

Figure 13: Python-based loader responsible for staging the infection.

Loader Functionality

Analysis revealed several stages.

Stage 1 โ€” Remove Mark-of-the-Web

The script removes:

Zone.Identifier

Purpose:

  • Remove Windows security warnings
  • Reduce user suspicion

Stage 2 โ€” Open Decoy Document

The loader copies and launches:

job&products_Apex_Logistics_Group.docx

Purpose:

  • Distract the victim
  • Display legitimate-looking content

Stage 3 โ€” Hide Files

The script executes:

attrib +h +s

Purpose:

  • Hide malware components
  • Prevent casual discovery

Stage 4 โ€” Sandbox Evasion

The malware intentionally waits:

time.sleep(180)

for three minutes before continuing.

Purpose:

  • Evade automated sandbox environments
  • Avoid immediate detection

Discovery of the Hidden Archive

The loader script contained the following command:

zhen.mkv x -y -predteamvn16 REDTEAMVN.pdf

This revealed:

Hidden Archive

REDTEAMVN.pdf

Archive Password

redteamvn16

The archive was extracted using the renamed 7-Zip utility.

None

Figure 14: Loader extracting the hidden archive using a hardcoded password.

Hidden Archive Analysis

The archive contents were listed using:

7z l -predteamvn16 REDTEAMVN.pdf

Recovered files:

python310.dll
python310.zip
pythonw.exe
update.dll
support.ico
libcrypto-1_1.dll
libssl-1_1.dll
None

Figure 15: Contents of the password-protected archive.

Portable Python Environment

The archive contained a complete Python runtime.

Components included:

pythonw.exe
python310.dll
python310.zip

This design allows the malware to execute independently of any Python installation already present on the victim system.

The technique is commonly observed in modern Python-based malware campaigns.

Extraction of the Final Payload

The archive was extracted into a separate analysis directory.

7z x -predteamvn16 REDTEAMVN.pdf -opayload

Extraction completed successfully.

None

Figure 16: Successful extraction of the second-stage payload.

Discovery of update.dll

The file:

update.dll

immediately attracted attention.

A file type check produced an unexpected result.

file payload/update.dll

Output:

ASCII text

Rather than being a Windows DLL, the file was actually a text-based script.

None

Figure 17: update.dll identified as text rather than a binary DLL.

Opening the file revealed Python code.

This indicated that the attacker intentionally disguised a Python script as a DLL.

Key Findings

This stage of the investigation revealed:

Confirmed

  • Hidden Python loader
  • Fake PDF archive
  • Renamed extraction utility
  • Portable Python runtime
  • Password-protected payload delivery
  • Python script disguised as DLL

Not Yet Analyzed

The following components still required investigation:

update.dll
support.ico
Persistence mechanisms
Payload execution chain

These files would eventually reveal the malware's persistence strategy, defense evasion techniques, and final payload execution process.

Conclusion

What initially appeared to be a normal recruitment package was revealed to contain a structured malware delivery framework.

The attackers relied on:

  • File masquerading
  • Password-protected archives
  • Portable runtimes
  • Decoy documents
  • Sandbox evasion

to conceal the true purpose of the package.

At this point, the infection chain had been reconstructed, but the actual malware behavior remained hidden inside update.dll and support.ico.

These components would become the focus of the next phase of analysis.

Next Article

Part 3 will cover:

  • update.dll analysis
  • Scheduled Task persistence
  • WMI persistence
  • AMSI bypass
  • ETW bypass
  • XOR payload decryption
  • In-memory execution
  • Final malware assessment

Part 3 Coming Soon

๐Ÿ“ฌ Contact

If you'd like to connect or discuss cybersecurity, ethical hacking, or awareness topics, you can reach me at:

๐Ÿ“ฑ Instagram ๐Ÿฆ Twitter (X) ๐Ÿ”— LinkedInโ˜• Buy Me a Coffee

#CyberSecurity #PhishingAlert #EthicalHacking #KaliLinux #InformationSecurity #ScamAwareness #OnlineSafety #TelegramScam #HackingInvestigation #InfosecCommunity #CyberAwareness #DataProtection #MalwareAnalysis #DigitalSafety #TechSecurity