Malware analysis https://flipformatpdf.com Malicious activity

Add for printing

URL:	https://flipformatpdf.com
Full analysis:	https://app.any.run/tasks/f12dd669-cc64-424d-bc39-d33e28a6eebc
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 20, 2026, 12:20:46
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing loader
Indicators:
MD5:	35521E981718FF50A376F07970548EA7
SHA1:	C922C0C749501D0924BFAAA27C80D751F0C4F44B
SHA256:	19400393617515423957E65645FD93FD64D3644EE56D4C1519F7733D95A72D53
SSDEEP:	3:N8IVQPV1LdI:29PXLK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 7028)
SUSPICIOUS
No suspicious indicators.
INFO
- The sample compiled with english language support
  - msedge.exe (PID: 7028)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

7028

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --webtransport-developer-mode --string-annotations --always-read-main-dll --field-trial-handle=2256,i,13378875761215938322,9620771509043916482,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

7

Text files

4

Unknown types

0

Dropped files

PID	Process	Filename		Type
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\b0aa22c3-fc03-4ac5-b127-f191444bad1d.tmp		text
		MD5:F054A7D6E382DF24018FE84986B710A2	SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b5		compressed
		MD5:460561D21A82AA52EDE5FB7726BFF673	SHA256:8D1E2F7EF5D3EF148425613BFB952F7D30D1B01DF0F6E445900693CDEA83AA7A
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b6		binary
		MD5:5651A284579B7569BE7E2672360A23C7	SHA256:35F6F1ABC78893601267181954498307E0EF2E1161F5E26873C6166E7ED0C49D
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b8		binary
		MD5:260C81A4759BAF163C025001C4F27872	SHA256:3100E775E8616CD2611BEECFA23A4263D7037586789B43F035236A2E6FBD4C62
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		compressed
		MD5:F3AD19FDBD15A27B32A4D25E49CC266E	SHA256:3A657EDDEC2905CE29950E37A3CC78C6839AFC858FE26A89490A1502BE032D13
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba		binary
		MD5:5651A284579B7569BE7E2672360A23C7	SHA256:35F6F1ABC78893601267181954498307E0EF2E1161F5E26873C6166E7ED0C49D
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		compressed
		MD5:986BECCA5F278F9BEB2E323A89E9EEF9	SHA256:36EA6E8A04A3961E4AEB1C3AD36188C9FE9570BCA5D7483EC23A609D324E2861
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RFf049a.TMP		text
		MD5:8CA6AC4CD0D4F8B2EA5A9FC6FD4311D7	SHA256:EE810A451AEA499C3D6F89EDB840ED025DF0937874485A211A3BB39F915F4EA0
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		text
		MD5:F054A7D6E382DF24018FE84986B710A2	SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b7		text
		MD5:21BF0329EAB2C858343AF22FF8B2E359	SHA256:F48B72D69A5ADCACB23D72D7BCF1C6CD1E0B81EDE76DD0794888CBDBFD72B69E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

53

TCP/UDP connections

53

DNS requests

45

Threats

5

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7688	RUXIMICS.exe	GET	304	48.209.133.15:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=188&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
5240	svchost.exe	GET	—	48.209.133.15:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	US	—	—	whitelisted
5336	MoUsoCoreWorker.exe	GET	304	48.209.133.15:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3593&FlightIds=&UpdateOfferedDays=344&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&sku=48&ActivationChannel=Retail&AttrDataVer=188&IsMDMEnrolled=0&ProcessorCores=4&ProcessorModel=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&TotalPhysicalRAM=4096&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260246&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
7760	svchost.exe	HEAD	200	104.102.63.189:443	https://fs.microsoft.com/fs/windows/config.json	US	—	—	whitelisted
7028	msedge.exe	GET	200	172.67.180.187:443	https://flipformatpdf.com/static/css/main.f8437ed9.css	US	text	19.0 Kb	unknown
—	—	GET	200	172.67.180.187:443	https://flipformatpdf.com/	US	html	1.59 Kb	unknown
7028	msedge.exe	GET	200	172.67.180.187:443	https://flipformatpdf.com/static/js/main.ddd17b8d.js	US	text	221 Kb	unknown
5240	svchost.exe	GET	200	184.24.77.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
7028	msedge.exe	GET	200	192.178.183.95:443	https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap	US	text	12.0 Kb	whitelisted
7688	RUXIMICS.exe	GET	200	184.24.77.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5240	svchost.exe	48.209.133.15:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7688	RUXIMICS.exe	48.209.133.15:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5336	MoUsoCoreWorker.exe	48.209.133.15:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	224.0.0.251:5353	—	—	—	whitelisted
7028	msedge.exe	23.62.46.147:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
7028	msedge.exe	104.21.31.230:443	flipformatpdf.com	CLOUDFLARENET	US	malicious
5240	svchost.exe	184.24.77.34:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7028	msedge.exe	142.251.20.97:443	www.googletagmanager.com	GOOGLE	US	whitelisted
7028	msedge.exe	142.251.20.94:443	fonts.gstatic.com	GOOGLE	US	whitelisted
7028	msedge.exe	142.251.14.95:443	fonts.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	48.209.133.15 48.209.138.168	whitelisted
google.com	142.251.20.101 142.251.20.100 142.251.20.138 142.251.20.139 142.251.20.102 142.251.20.113	whitelisted
www.bing.com	23.62.46.147 23.62.46.135 23.62.46.146 92.123.104.63 92.123.104.9 92.123.104.5 92.123.104.13 92.123.104.65 92.123.104.62 92.123.104.67 92.123.104.6 92.123.104.14	whitelisted
flipformatpdf.com	104.21.31.230 172.67.180.187	malicious
crl.microsoft.com	184.24.77.34 184.24.77.7 184.24.77.22 184.24.77.29 184.24.77.23 184.24.77.30 184.24.77.37	whitelisted
www.googletagmanager.com	142.251.20.97	whitelisted
fonts.googleapis.com	142.251.14.95	whitelisted
fonts.gstatic.com	142.251.20.94	whitelisted
www.microsoft.com	23.37.86.48	whitelisted
www.google.com	142.251.151.119 142.251.153.119 142.251.156.119 142.251.155.119 142.251.150.119 142.251.157.119 142.251.154.119 142.251.152.119	whitelisted

Threats

PID	Process	Class	Message
7028	msedge.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Domain (flipformatpdf .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
—	—	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

No debug info

General Info

https://flipformatpdf.com

35521E981718FF50A376F07970548EA7

C922C0C749501D0924BFAAA27C80D751F0C4F44B

19400393617515423957E65645FD93FD64D3644EE56D4C1519F7733D95A72D53

3:N8IVQPV1LdI:29PXLK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

INFO

The sample compiled with english language support

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings