Incident ReportsIR

IR-2025-004

HIGH

Malware — Trojan Dropper Masquerading as PDF Utility

FILED:Dec 2025

TAXONOMY:T1204.002

Complexity:Moderate

⏱ 3d containment

~6m read

TRUE POSITIVE — MALWARE QUARANTINED

Microsoft Defender for Endpoint detected and quarantined Trojan:Win64/Malgent!MSR during a scheduled scan. Delivered as a trojan dropper disguised as an update binary for PDFSkills. VirusTotal: 30/72 engine detection. Code-signing certificate issued to RED ROOT LTD — a known malicious signing entity. Defender prevented execution before payload deployed. No lateral movement, C2, or data exfiltration observed. Single endpoint scope confirmed.

MalwareEndpointDefenderDropper

Outcome

▸Process quarantined — execution chain prevented before payload deployment

▸No C2 callback or second-stage payload deployment observed

▸Estate-wide hash hunt clean — scope confirmed to single endpoint

▸Clean scan confirmed — full remediation complete

Detection Gap

~20min between Defender scheduled scan initiation and quarantine alert — file was present on disk prior to scan

Background & Context

Trojan droppers are a class of malware designed to deliver a secondary payload — their function is not to cause harm directly, but to establish a foothold and retrieve additional malicious components, typically via a C2 callback. The dropper is small by design (this one was 20.76 KB) because its job is simply to execute, reach out, and pull down the real payload.

PDFSkills is a third-party PDF utility application that has been documented as a known PUP (Potentially Unwanted Program) and malware delivery vector. Software distributed through unofficial channels or bundled with adware frequently includes update mechanisms that are themselves malicious — the Update.exe binary in this incident is precisely this: a trojan dropper masquerading as a legitimate application updater.

The detection gap in this incident is analytically significant. The file was not caught at installation by real-time protection — it was only detected during a subsequent scheduled scan. This means the dropper was dormant on the endpoint for an indeterminate period. While Defender ultimately quarantined it before execution, the window between file creation and detection is a material risk factor that must be quantified via the FileCreated timestamp query.

Triage Thought Process

01HIGH severity — do not downgrade without strong evidence. Malware detection is an immediate HIGH classification.

02Hash to VirusTotal immediately. SHA1 extracted and submitted. 30/72 engines = strong malicious consensus — removes false positive doubt.

03Code-signing certificate is a critical triage step. Signed malware abuses trust in signed executables. RED ROOT LTD returned as the signer — unambiguous red flag.

04Assess execution status. Was the dropper executed? Check the process tree from the PDFSkills directory. Answer: no child processes — Defender quarantined before execution.

05Check for C2 callback. Dropper binaries are characteristically small (20.76 KB) — their function is to reach a C2 server and pull a second-stage payload. Answer: no external connections observed.

06Assess the real-time detection gap. The file was not caught at installation — only during a subsequent scheduled scan. How long was this dropper dormant? Query FileCreated timestamp.

07Scope check. Are other endpoints running PDFSkills? Hash-hunt across the estate before declaring scope limited.

08Suspend user account as precaution pending full remediation confirmation.

Decision

HIGH confirmed. Malicious dropper signed with known bad cert, quarantined before execution. Single endpoint scope confirmed by estate-wide hash hunt. Client notified for full remediation.

Incident Timeline

30 Dec, ~14:00

Scheduled Defender scan initiated on endpoint

30 Dec, ~14:20

Defender quarantines: Update.exe in C:\Users\[REDACTED]\AppData\Local\PDFSkills

30 Dec, ~14:22

Alert: Malware incident — Microsoft Sentinel

30 Dec, ~14:30

Analyst begins triage — HIGH severity classification assigned

30 Dec, ~14:35

SHA1 hash extracted and submitted to VirusTotal

30 Dec, ~14:40

VirusTotal result: 30/72 engines — strong malicious consensus confirmed

30 Dec, ~14:45

Code-signing certificate reviewed: RED ROOT LTD — known malicious code-signing entity confirmed

30 Dec, ~14:50

Defender confirmed: Quarantined — no execution observed in process tree

30 Dec, ~14:55

Network connections, process trees, lateral movement reviewed — all clean

30 Dec, ~15:00

Credential access indicators checked — no LSASS access, no credential dumping

30 Dec, ~15:05

Estate-wide hash hunt — no other endpoints with same file

30 Dec, ~15:10

Remediation steps communicated to client security team

30 Dec, ~15:15

User account temporarily suspended pending remediation

02 Jan, ~09:00

Client confirms: PDFSkills folder deleted, clean scan complete

02 Jan, ~09:30

User account reactivated — ticket closed

Technical Analysis

The binary (Update.exe) was quarantined from C:\Users\[REDACTED]\AppData\Local\PDFSkills — a user-space path that requires no administrative privileges, allowing the dropper to persist without triggering UAC prompts. This AppData\Local install path is a consistently abused location by malware that cannot escalate to system paths.

SHA1 hash submission to VirusTotal returned 30/72 positive engine detections — a strong malicious consensus that removes any false positive doubt. Defender's classification (Trojan:Win64/Malgent!MSR) is a generic dropper family designation, consistent with a loader/dropper architecture that hasn't been attributed to a specific named threat actor group.

The code-signing certificate presented by the binary was issued to RED ROOT LTD — a documented malicious code-signing entity with no association to any legitimate software vendor. Signed malware exploits the trust that operating systems and security products extend to signed executables; the presence of a certificate from RED ROOT LTD is an unambiguous red flag with no legitimate explanation.

Process tree analysis confirmed no child processes were spawned from the PDFSkills directory — Defender quarantined the binary before it could execute. Network connection review found no external connections from the PDFSkills path, confirming no C2 callback was attempted during the detection window. Credential access indicators (LSASS access, credential dumping tools) were absent.

An estate-wide hash hunt using the SHA1 across all Defender-enrolled endpoints returned no additional matches — confirming the incident was scoped to a single endpoint. The user likely downloaded PDFSkills from an unofficial source, as the application is not part of the organisation's approved software catalogue.

Environment

▸Microsoft Defender for Endpoint (scheduled scan detection)

▸Windows 11 / Microsoft Sentinel

▸VirusTotal, Recorded Future (hash and cert enrichment)

Signals

▸Update.exe quarantined in C:\Users\[REDACTED]\AppData\Local\PDFSkills

▸Trojan:Win64/Malgent!MSR — Microsoft Defender generic dropper classification

▸VirusTotal: 30/72 engine detection — strong malicious consensus

▸Code-signing certificate: RED ROOT LTD — known malicious code-signing entity

▸File size: 20.76 KB — consistent with lightweight dropper architecture

▸Scheduled scan detection — file not caught at installation, indicating real-time protection gap

What I Checked

▸SHA1 hash submitted to VirusTotal — 30/72 positive detections confirmed, strong malicious consensus

▸Code-signing certificate reviewed: RED ROOT LTD — documented malicious cert issuer, unambiguous red flag

▸Defender file status confirmed: Quarantined — no execution observed in process tree

▸Child processes from PDFSkills directory — none found

▸C2 callback attempts from PDFSkills path — no external connections observed

▸Credential access indicators — no LSASS access, no credential dumping activity

▸Estate-wide hash hunt — no other endpoints with same file hash

▸FileCreated timestamp queried to determine duration of real-time detection gap

Actions Taken

▸Defender quarantined Update.exe — file removed from active filesystem automatically

▸User account temporarily suspended pending full remediation confirmation

▸Client instructed: delete full PDFSkills folder, uninstall application, run clean scan

▸Client confirmed clean post-remediation scan on 02 January

▸User account reactivated following confirmed clean device state

Indicators of Compromise

Type	Indicator	Notes
File Name	Update.exe	Trojan:Win64/Malgent!MSR — dropper binary masquerading as application updater
File Path	C:\Users\[REDACTED]\AppData\Local\PDFSkills\Update.exe	User-space path — no admin privileges required for installation
File Size	20.76 KB	Consistent with lightweight dropper/loader architecture
SHA1	661fbb34201f2ca094c8b75b6248017cecf33e85	VirusTotal: 30/72 engines — strong malicious consensus
Cert Signer	RED ROOT LTD	Known malicious code-signing entity — no legitimate software association
Malware Family	Trojan:Win64/Malgent!MSR	Microsoft Defender generic dropper classification
Delivery Vehicle	PDFSkills application	Third-party PDF utility — known PUP/malware delivery vector

MITRE ATT&CK Mapping

Tactic	Technique	ID	Observed
Initial Access	Drive-by Compromise / User Execution	T1189 / T1204	User likely downloaded PDFSkills from an unofficial or malicious source
Execution	User Execution: Malicious File	T1204.002	Update.exe dropper planted in user profile space
Persistence	Boot or Logon Autostart (AppData)	T1547	AppData install path enables auto-run without admin rights
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Signed with RED ROOT LTD certificate to exploit trust in signed binaries
C2 (Attempted)	Application Layer Protocol	T1071	Dropper architecture suggests C2 callback — no confirmed connection observed

Detection Logic (KQL)

// Confirm quarantine status and file path
DeviceEvents
| where DeviceName == "[HOSTNAME]"
| where FileName == "Update.exe"
| project Timestamp, ActionType, FolderPath, SHA1, InitiatingProcessFileName

// Check for child processes spawned from PDFSkills directory
DeviceProcessEvents
| where DeviceName == "[HOSTNAME]"
| where InitiatingProcessFolderPath contains "PDFSkills"
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for C2 callback attempts
DeviceNetworkEvents
| where DeviceName == "[HOSTNAME]"
| where InitiatingProcessFolderPath contains "PDFSkills"
| where RemoteIPType != "Private"
| project Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName

// Estate-wide hash hunt
DeviceFileEvents
| where SHA1 == "661fbb34201f2ca094c8b75b6248017cecf33e85"
| project DeviceName, FolderPath, Timestamp, ActionType

// Determine when file was first written to disk (real-time gap assessment)
DeviceFileEvents
| where DeviceName == "[HOSTNAME]"
| where FileName == "Update.exe" and FolderPath contains "PDFSkills"
| where ActionType == "FileCreated"
| project Timestamp, ActionType, FolderPath, SHA1

Analyst NotesMuhammad Fezzan

RED ROOT LTD as the signing entity is an unambiguous red flag — this is not a borderline detection. The 30/72 VT ratio confirmed malicious classification with high confidence.

The most significant analytical question is the detection gap: the file was present on the endpoint and was not detected in real-time. The FileCreated query is critical for establishing how long the dropper was dormant and whether there was a network connectivity window during which callbacks could have been attempted.

The AppData\Local install path is worth flagging in all client advisories — this path is consistently abused by malware that cannot write to system paths and is a reliable indicator of non-privileged malware installation.

Lessons Learned

▸RED ROOT LTD as the signing entity is an unambiguous red flag — code-signing certificate checks are a critical triage step for all executable detections.

▸Scheduled scans remain an essential secondary detection layer when real-time protection has a gap.

▸The AppData\Local install path is consistently abused by malware that cannot write to system paths.

▸The FileCreated timestamp query establishes how long the dropper was dormant — critical for C2 callback risk assessment.

▸Implement Application Control (WDAC/AppLocker) to block unsigned or untrusted executables from AppData and Temp directories.

Recommendations

R1Implement Application Control (WDAC or AppLocker): block execution of unsigned or untrusted binaries from user-writable paths including AppData, Temp, and Downloads directories. This would have prevented the dropper from executing even if real-time detection had failed.

R2Establish and enforce an approved software catalogue: users should not be able to install third-party utilities from unofficial sources. PDFSkills is not an enterprise application — its presence on a managed endpoint indicates a gap in software install policy.

R3Review real-time protection configuration: the file was not caught at installation. Investigate whether real-time protection was configured to scan AppData paths, and whether the scheduled scan interval is appropriate for the risk profile.

R4Include code-signing certificate checking in all malware triage SOPs: RED ROOT LTD is a documented malicious signing entity. Certificate authority reputation should be a standard enrichment step alongside hash submission to VirusTotal.

SIG

Case Certification

Muhammad Fezzan

SOC ANALYST

DIGITAL TIMESTAMP

DEC 2025 // REG-004-FS

← All incidentsCase anonymised