Hacking macOS: How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script)

With the macOS stager created and the attacker's system hosting the Empire listener, the malicious AppleScript can be designed and disguised to appear as a legitimate PDF using a few Unicode and icon manipulation tricks. A real PDF is required for the attack to work. Files over 1 MB in size would be too large and may cause the target to become suspicious. The real PDF will be downloaded every time the target opens the Trojanized AppleScript (the fake PDF), so the real PDF should be only one page and small enough to download quickly. Otherwise, the target might start wondering why it takes a... more