analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tax_refund_id_2019.pdf

Full analysis: https://app.any.run/tasks/e14ebd0e-1a06-4ba2-850e-fcd1d7ecb84e
Verdict: Malicious activity
Analysis date: July 17, 2019, 15:12:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/pdf
File info: PDF document, version 1.5
MD5:

7669ED49EF2B0D4B3BC38854E3A7F99C

SHA1:

684F664CC67E32D636F2D4266A8E27EB451031A7

SHA256:

07B7B0E9BC61AA58CAE675E531BC2B79F6039CBAF29E2B1264B51FDA7A73582C

SSDEEP:

6144:mN2PT55VsAIrj+vpkP3VfrGOO8YcnkhkCBP2Gg1aPUSIJTsj:mYPV5VsPiv2VCD3Qkht2EMSItQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 3792)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 1756)
  • INFO

    • Creates files in the user directory

      • AcroRd32.exe (PID: 3792)
      • iexplore.exe (PID: 1548)
    • Application launched itself

      • RdrCEF.exe (PID: 1660)
      • AcroRd32.exe (PID: 3792)
      • iexplore.exe (PID: 3732)
    • Changes internet zones settings

      • iexplore.exe (PID: 3732)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1548)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1548)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3732)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3732)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

UserAccess: Print, Print high-res
Encryption: Standard V2.3 (128-bit)
Linearized: No
PDFVersion: 1.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe reader_sl.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3792"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\tax_refund_id_2019.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2212"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\tax_refund_id_2019.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
1660"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2916"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1660.0.1362707163\784644773" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3860"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1660.1.534299274\725804831" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
1756"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Exit code:
0
Version:
1.824.27.2646
2192"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
15.23.20053.211670
3732"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
AcroRd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1548"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3732 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
666
Read events
554
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
35
Unknown types
20

Dropped files

PID
Process
Filename
Type
2212AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.2212
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2212
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1mqyhi3_1jzlm3x_1pg.tmp
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R15r2y3e_1jzlm3w_1pg.tmp
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rhgt8b1_1jzlm3y_1pg.tmp
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R187w0k_1jzlm3z_1pg.tmp
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1ohv8t3_1jzlm40_1pg.tmp
MD5:
SHA256:
1756AdobeARM.exeC:\Users\admin\AppData\Local\Temp\Tmp6FCC.tmp
MD5:
SHA256:
2212AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.binbinary
MD5:C8D762D63D12479698478E1E8B8F42F5
SHA256:769B5BFF7AB81AB474EE952148CC4A89598EF7DE824B10F8CC3E913D2C813ACB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3792
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip
unknown
whitelisted
3792
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
3792
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
3792
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
1548
iexplore.exe
GET
301
91.224.140.71:80
http://gg.gg/e66n1
NL
shared
3792
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
3732
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3732
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1548
iexplore.exe
91.224.140.71:80
gg.gg
Innovation IT Solutions LTD
NL
suspicious
3792
AcroRd32.exe
2.16.186.32:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3792
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
1548
iexplore.exe
172.217.21.202:443
translate.googleapis.com
Google Inc.
US
whitelisted
1548
iexplore.exe
104.19.199.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
3732
iexplore.exe
185.98.131.157:443
dossier-pdf.fr
ADISTA SAS
FR
malicious
1548
iexplore.exe
198.103.206.11:443
apps.cra-arc.gc.ca
Shared Services Canada
CA
unknown
1548
iexplore.exe
185.98.131.157:443
dossier-pdf.fr
ADISTA SAS
FR
malicious

DNS requests

Domain
IP
Reputation
acroipm2.adobe.com
  • 2.16.186.32
  • 2.16.186.33
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
ardownload2.adobe.com
  • 2.18.233.74
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
gg.gg
  • 91.224.140.71
shared
dossier-pdf.fr
  • 185.98.131.157
malicious
apps.cra-arc.gc.ca
  • 198.103.206.11
unknown
translate.googleapis.com
  • 172.217.21.202
whitelisted
cdnjs.cloudflare.com
  • 104.19.199.151
  • 104.19.195.151
  • 104.19.198.151
  • 104.19.197.151
  • 104.19.196.151
whitelisted

Threats

No threats detected
No debug info