analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

curious.pdf

Full analysis: https://app.any.run/tasks/b08f33af-3edd-47aa-8712-b3004cb0e56e
Verdict: Malicious activity
Analysis date: October 20, 2020, 12:27:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/pdf
File info: PDF document, version 1.4
MD5:

E93277CD22C3DEF305D960FABF986CF9

SHA1:

07C9DDE356D02AB6CBF716DFA0D7383D06C630E5

SHA256:

43BDADB5BE592C6F498B1BB742DF307633F8C5EA05AF66AD01619A9F4F4F73D9

SSDEEP:

768:4fEi9mbnpQwutHDpnWCkOYdxmBhCYIH0mmrPtX2+H2FgnDyFMc:4Z9MzOnTIrmjOUTxopac

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 584)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 3224)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 968)
      • iexplore.exe (PID: 2944)
      • AcroRd32.exe (PID: 584)
      • chrome.exe (PID: 2872)

    • Reads Internet Cache Settings

      • AcroRd32.exe (PID: 584)
      • iexplore.exe (PID: 968)
      • AcroRd32.exe (PID: 1452)
      • iexplore.exe (PID: 2944)

    • Application launched itself

      • AcroRd32.exe (PID: 584)
      • iexplore.exe (PID: 2944)
      • RdrCEF.exe (PID: 2656)
      • chrome.exe (PID: 3540)

    • Reads the hosts file

      • RdrCEF.exe (PID: 2656)
      • chrome.exe (PID: 3540)
      • chrome.exe (PID: 2872)

    • Manual execution by user

      • chrome.exe (PID: 3540)

    • Reads internet explorer settings

      • iexplore.exe (PID: 968)

    • Changes internet zones settings

      • iexplore.exe (PID: 2944)

    • Creates files in the user directory

      • iexplore.exe (PID: 968)

    • Changes IE settings (feature browser emulation)

      • AcroRd32.exe (PID: 584)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2944)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PageCount: 2
CreateDate: 2020:10:20 11:21:37+03:00
Producer: Qt 4.8.7
Creator: wkhtmltopdf 0.12.5
Title: -
Linearized: No
PDFVersion: 1.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
34
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe rdrcef.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs adobearm.exe no specs reader_sl.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
584"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\curious.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
1452"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\curious.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2656"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2312"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2656.0.293396837\1782601723" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2944"C:\Program Files\Internet Explorer\iexplore.exe" http://rjmaecsdiu.bitcoinbrasil.site/c90472adC:\Program Files\Internet Explorer\iexplore.exe
AcroRd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
968"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
824"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2656.1.598249421\1496243251" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3540"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x689ba9d0,0x689ba9e0,0x689ba9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3968"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3676 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
Total events
1 201
Read events
993
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
156
Text files
132
Unknown types
46

Dropped files

PID
Process
Filename
Type
1452AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
968iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab699C.tmp
MD5:
SHA256:
968iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar699D.tmp
MD5:
SHA256:
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1452AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1kpn4mg_d8dws7_14c.tmp
MD5:
SHA256:
1452AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1c4ti6b_d8dws6_14c.tmp
MD5:
SHA256:
1452AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R3x2hc3_d8dws5_14c.tmp
MD5:
SHA256:
1452AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rd5ltc9_d8dws4_14c.tmp
MD5:
SHA256:
584AcroRd32.exeC:\Users\admin\AppData\Local\Temp\Cab794B.tmp
MD5:
SHA256:
584AcroRd32.exeC:\Users\admin\AppData\Local\Temp\Tar794C.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
197
DNS requests
120
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
iexplore.exe
GET
404
199.188.206.22:80
http://rjmaecsdiu.bitcoinbrasil.site/favicon.ico
US
malicious
584
AcroRd32.exe
GET
304
2.16.107.24:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
584
AcroRd32.exe
GET
304
2.16.107.24:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
968
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
968
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
584
AcroRd32.exe
GET
304
2.16.107.24:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
968
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
968
iexplore.exe
GET
200
199.188.206.22:80
http://rjmaecsdiu.bitcoinbrasil.site/c90472ad
US
html
3.82 Kb
malicious
968
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
968
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAxtQQjgmRxkkRZJGijH2ko%3D
US
der
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
968
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2.16.107.24:80
acroipm2.adobe.com
Akamai International B.V.
malicious
968
iexplore.exe
199.188.206.22:80
rjmaecsdiu.bitcoinbrasil.site
Namecheap, Inc.
US
malicious
584
AcroRd32.exe
2.16.107.24:80
acroipm2.adobe.com
Akamai International B.V.
malicious
968
iexplore.exe
151.101.2.49:443
www.forbes.com
Fastly
US
malicious
2944
iexplore.exe
199.188.206.22:80
rjmaecsdiu.bitcoinbrasil.site
Namecheap, Inc.
US
malicious
968
iexplore.exe
104.18.21.226:80
ocsp.globalsign.com
Cloudflare Inc
US
shared
968
iexplore.exe
172.67.130.45:443
hringuiperbia.club
US
unknown
968
iexplore.exe
99.86.2.84:443
consent.truste.com
AT&T Services, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
rjmaecsdiu.bitcoinbrasil.site
  • 199.188.206.22
malicious
hringuiperbia.club
  • 172.67.130.45
  • 104.28.14.35
  • 104.28.15.35
suspicious
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.forbes.com
  • 151.101.2.49
  • 151.101.66.49
  • 151.101.130.49
  • 151.101.194.49
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
acroipm2.adobe.com
  • 2.16.107.24
  • 2.16.107.49
whitelisted
armmf.adobe.com
  • 2.21.36.203
whitelisted
consent.truste.com
  • 99.86.2.84
  • 99.86.2.6
  • 99.86.2.102
  • 99.86.2.59
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
curious.pdf