Malware analysis DA-4856-REP-63-Contract.pdf Suspicious activity

Add for printing

File name:	DA-4856-REP-63-Contract.pdf
Full analysis:	https://app.any.run/tasks/99dbc04b-b21f-408f-94e9-0219fd56610b
Verdict:	Suspicious activity
Analysis date:	March 30, 2018, 20:21:43
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/pdf
File info:	PDF document, version 1.7
MD5:	1E2711D7E7DC5A33F587BB48A39AE0D4
SHA1:	818A128C598F6220E14040A755ED2EB13472C5E5
SHA256:	57A0A4941D2FE78E3C6163B0C935E87A44CF2D883C777FE1D2878EC0A504B875
SSDEEP:	1536:vPUbm0I9OF+W22l+0beS80eVNoz9iqVM0MTNEcXv:vPkTI93t2EFJuz5K0MTRf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:

Software preset

Internet Explorer 8.0.7601.17514 undefined
7-Zip 16.04 (16.04)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 26 ActiveX (26.0.0.137)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.100)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2005 Redistributable (8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 (14.12.25810)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.4)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition
WinMan WinIP Package TopLevel

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Starts Internet Explorer
  - AcroRd32.exe (PID: 3656)
INFO
- Dropped object may contain URL's
  - AdobeCollabSync.exe (PID: 2136)
  - RdrCEF.exe (PID: 2148)
  - iexplore.exe (PID: 3940)
  - iexplore.exe (PID: 3564)
  - AcroRd32.exe (PID: 3728)
- Creates files in the user directory
  - AcroRd32.exe (PID: 3656)
  - iexplore.exe (PID: 3564)
- Application launched itself
  - RdrCEF.exe (PID: 2148)
- Changes internet zones settings
  - iexplore.exe (PID: 3940)
- Dropped object may contain Bitcoin addresses
  - AcroRd32.exe (PID: 3728)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3940)
  - iexplore.exe (PID: 3564)
- Loads rich edit control libraries
  - AcroRd32.exe (PID: 3728)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3940)
- Reads internet explorer settings
  - iexplore.exe (PID: 3564)
- Changes settings of System certificates
  - iexplore.exe (PID: 3940)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.pdf	\|	Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion:	1.7
Linearized:	No
Encryption:	Standard V4.4 (128-bit)
UserAccess:	Print, Annotate, Fill forms, Extract, Print high-res
Author:	APD
CreateDate:	2014:09:03 12:09:44-04:00
Creator:	Adobe LiveCycle Designer 11.0
Distrubution:	UNRESTRICTED
Doc_Num:	4856
Form_Month:	Jul
Form_Version:	1.03
Form_Year:	2014
ModifyDate:	2016:10:06 11:06:49-06:00
OMB_Expire:	-
OMB_Number:	-
PA_Code:	no
PIN:	051938
Pre_Dir:	ATP 6-22.1
Prefix:	DA
Producer:	Adobe LiveCycle Designer 11.0
Product_Type:	FORM
Proponent:	TRADOC
Pub_Day:	12
Pub_ID:	22
Pub_Month:	Oct
Pub_Series:	6
Pub_Type:	ATP
Pub_Year:	2006
Scope:	Army
Security_Class:	UC
Signature:	Yes
Subject:	DA FORM 4856, JUL 2014
Suffix:	-
Title:	DEVELOPMENTAL COUNSELING FORM
Unicode:	EMO
HasXFA:	Yes
TaggedPDF:	Yes
PageCount:	2
UsageRightsMessage:	-
DocumentUsageRights:	FullSave
AnnotationUsageRights:	Create Delete Modify Copy Import Export Online
FormUsageRights:	FillIn Import Export SubmitStandalone Online Add Delete
SignatureUsageRights:	Modify
ModificationPermissions:	Do not restrict applications to reader permissions
EmbeddedFileUsageRights:	Create Delete Import Modify
SigningAuthority:	ARE 6.1 Production with Online Comment and PunchCard
SigningDate:	2014:09:24 15:00:30-04:00

XMP

XMPToolkit:	Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03
MetadataDate:	2016:10:06 11:06:49-06:00
CreatorTool:	Adobe LiveCycle Designer 11.0
ModifyDate:	2016:10:06 11:06:49-06:00
CreateDate:	2014:09:03 12:09:44-04:00
Producer:	Adobe LiveCycle Designer 11.0
DocumentID:	uuid:27a53c24-5d10-4a85-8f2e-4108772a0020
InstanceID:	uuid:8c8d5be0-6e21-4c2f-bec3-a7b7865e9c2c
Format:	application/pdf
Description:	DA FORM 4856, JUL 2014
Creator:	APD
Title:	DEVELOPMENTAL COUNSELING FORM
Scope:	Army
Prefix:	DA
Doc_Num:	4856
Product_Type:	FORM
Suffix:	-
Form_Month:	Jul
Form_Year:	2014
Form_Version:	1.03
Pin:	051938
Pre_Dir:	ATP 6-22.1
Pub_Type:	ATP
Pub_ID:	22
Pub_Series:	6
Pub_Day:	12
Pub_Month:	Oct
Pub_Year:	2006
Proponent:	TRADOC
Unicode:	EMO
PA_Code:	no
OMB_Number:	-
OMB_Expire:	-
Security_Class:	UC
Distrubution:	UNRESTRICTED
Signature:	Yes
Version:	1.03
VersionRef:	/template/subform[1]

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2136

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

—

AcroRd32.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe Collaboration Synchronizer 15.7

Exit code:

Version:

15.7.20033.133275

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\adobecollabsync.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

2148

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

—

AcroRd32.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe RdrCEF

Exit code:

Version:

15.7.20033.133275

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2664

-isAppInstalled chc 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

C:\Program Files\Adobe\Acrobat Reader DC\Reader\ARH.exe

—

AcroRd32.exe

User:

admin

Company:

Adobe Systems Inc.

Integrity Level:

MEDIUM

Description:

Adobe AIR Redistribution Helper

Exit code:

Version:

3.5.0.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\arh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2988

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="2148.0.1769289676\1604662961" --allow-no-sandbox-job /prefetch:673131151

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

—

RdrCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe RdrCEF

Exit code:

Version:

15.7.20033.133275

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3564

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3940 CREDAT:71937

C:\Program Files\Internet Explorer\iexplore.exe

—

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3656

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\DA-4856-REP-63-Contract.pdf"

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

—

explorer.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe Acrobat Reader DC

Exit code:

Version:

15.7.20033.133275

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3728

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=3656.0.1254757191 --type=renderer "C:\Users\admin\AppData\Local\Temp\DA-4856-REP-63-Contract.pdf"

C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

—

AcroRd32.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe Acrobat Reader DC

Exit code:

Version:

15.7.20033.133275

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3940

"C:\Program Files\Internet Explorer\iexplore.exe" "http://community.adobe.com/chcservices/services/redirect?u=http://help.adobe.com&p=Reader_DC&l=en_US&id=Dlg_SecuritySettingsDownload"

C:\Program Files\Internet Explorer\iexplore.exe

—

AcroRd32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

1 017

Read events

871

Write events

141

Delete events

Modification events


(PID) Process:	(3728) AcroRd32.exe	Key:	HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2136) AdobeCollabSync.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AdobeCollabSync_RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\Local\Temp\etilqs_v6as7u1KJf4l75d		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer-journal		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\RFL\LocalMapping\RFLDB150-journal		—
		MD5:—	SHA256:—
3728	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer-journal		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\Local\Temp\etilqs_RnlnoQwAcF8ywOI		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\Local\Temp\etilqs_ofb8rETJlj2Xazq		—
		MD5:—	SHA256:—
3728	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		—
		MD5:—	SHA256:—
3728	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\inprogress\download-18		—
		MD5:—	SHA256:—
2136	AdobeCollabSync.exe	C:\Users\admin\AppData\Local\Temp\etilqs_vYuy0FcepNXzYlM		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

129

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	301	2.21.161.74:80	http://helpx.adobe.com/acrobat/using/trusted-identities.html	unknown	—	—	whitelisted
—	—	GET	302	192.147.130.58:80	http://community.adobe.com/chcservices/services/redirect?u=http://help.adobe.com&p=Reader_DC&l=en_US&id=Dlg_SecuritySettingsDownload	US	—	—	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D	US	der	471 b	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAza5nSVYZrPeIlAtSf0Rcs%3D	US	der	471 b	whitelisted
—	—	GET	200	23.38.53.244:80	http://trustlist.adobe.com/tl12.acrobatsecuritysettings	NL	pdf	211 Kb	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEANrV0G8T0FW49QCIRhnnyI%3D	US	der	471 b	whitelisted
—	—	GET	200	23.38.53.244:80	http://trustlist.adobe.com/eutl12.acrobatsecuritysettings	NL	pdf	1.95 Mb	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTnvAI%2FnN49qPTJY2qTQtfkLxjvEAQUo53mH%2FnaOU%2FAbuiRy5Wl2jHiCp8CEAlwxWJPoNmxiHail2GlT0k%3D	US	der	312 b	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEA05NXoFG5trTNWktC30S2A%3D	US	der	471 b	whitelisted
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAz7HVAyGCQ7hX8xeaUXQZo%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.21.161.74:80	helpx.adobe.com	Akamai International B.V.	—	whitelisted
—	—	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
—	—	23.38.53.244:80	trustlist.adobe.com	Akamai International B.V.	NL	whitelisted
—	—	52.71.113.168:443	cloud.acrobat.com	Amazon.com, Inc.	US	unknown
—	—	8.248.91.254:80	www.download.windowsupdate.com	Level 3 Communications, Inc.	US	unknown
—	—	2.21.161.74:443	helpx.adobe.com	Akamai International B.V.	—	whitelisted
—	—	23.38.53.224:443	use.typekit.com	Akamai International B.V.	NL	whitelisted
—	—	52.222.175.189:443	static.adobelogin.com	Amazon.com, Inc.	US	unknown
—	—	184.30.221.51:443	wwwimages.adobe.com	Akamai International B.V.	NL	whitelisted
—	—	66.117.28.86:443	cm.everesttech.net	Adobe Systems Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
trustlist.adobe.com	23.38.53.244	whitelisted
cloud.acrobat.com	52.71.113.168 34.232.232.38	whitelisted
www.download.windowsupdate.com	8.248.91.254 8.253.145.105 8.248.97.254 8.248.99.254 67.26.139.254	whitelisted
adobe.com	192.147.130.204	whitelisted
www.adobe.com	104.108.5.45	whitelisted
community.adobe.com	192.147.130.58	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
helpx.adobe.com	2.21.161.74	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
use.typekit.com	23.38.53.224	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

DA-4856-REP-63-Contract.pdf

1E2711D7E7DC5A33F587BB48A39AE0D4

818A128C598F6220E14040A755ED2EB13472C5E5

57A0A4941D2FE78E3C6163B0C935E87A44CF2D883C777FE1D2878EC0A504B875

1536:vPUbm0I9OF+W22l+0beS80eVNoz9iqVM0MTNEcXv:vPkTI93t2EFJuz5K0MTRf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Starts Internet Explorer

INFO

Dropped object may contain URL's

Creates files in the user directory

Application launched itself

Changes internet zones settings

Dropped object may contain Bitcoin addresses

Reads Internet Cache Settings

Loads rich edit control libraries

Adds / modifies Windows certificates

Reads internet explorer settings

Changes settings of System certificates

Malware configuration

Static information

TRiD

EXIF

PDF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings