analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

НИКС.pdf

Full analysis: https://app.any.run/tasks/3560cc94-61a5-4823-96fb-1b1316e49e8c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 10:15:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
loader
ransomware
troldesh
shade
Indicators:
MIME: application/pdf
File info: PDF document, version 1.3
MD5:

BE95754D7BCD2C246B7118349D8EF4F3

SHA1:

2E9DF084F036DC37425177099BAEFFCFACB774D6

SHA256:

B29A52717C5876F9353C35FEBA30A0B2A97F4122243F70ED870D13C633DC0BC5

SSDEEP:

768:XwRoDBR8ZB85M6KZ1U0ns9PGkHDF9eLG8iGE2jKL8si:YoMn8WXZC0u5jF92GbGXmA1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROLDESH was detected

      • rad2441E.tmp (PID: 3096)

    • Application was dropped or rewritten from another process

      • rad2441E.tmp (PID: 3144)
      • rad2441E.tmp (PID: 3096)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3692)

    • Changes the autorun value in the registry

      • rad2441E.tmp (PID: 3096)

  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 3340)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 3140)
      • rad2441E.tmp (PID: 3096)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2076)

    • Creates files in the user directory

      • WScript.exe (PID: 3692)

    • Application launched itself

      • rad2441E.tmp (PID: 3144)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3692)
      • rad2441E.tmp (PID: 3096)

    • Starts application with an unusual extension

      • rad2441E.tmp (PID: 3144)
      • cmd.exe (PID: 2536)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3692)

  • INFO

    • Application launched itself

      • RdrCEF.exe (PID: 3800)
      • chrome.exe (PID: 2076)

    • Manual execution by user

      • chrome.exe (PID: 2076)
      • WScript.exe (PID: 3692)

    • Reads the hosts file

      • RdrCEF.exe (PID: 3800)
      • chrome.exe (PID: 4024)
      • chrome.exe (PID: 2076)

    • Changes internet zones settings

      • iexplore.exe (PID: 1328)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3664)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1328)

    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 2076)

    • Application was crashed

      • rad2441E.tmp (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion: 1.3
Linearized: No
PageCount: 1
Producer: Haru Free PDF Library 2.4.0dev
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
47
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe winrar.exe no specs adobearm.exe no specs reader_sl.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wscript.exe cmd.exe no specs rad2441e.tmp no specs #TROLDESH rad2441e.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3340"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\НИКС.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3888"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\НИКС.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3800"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2612"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3800.0.1347365965\2081884278" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
1956"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3800.1.852504911\233920581" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
1328"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
AcroRd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3664"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1328 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2516"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K4P213K8\2019[1].zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3140"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Version:
1.824.27.2646
1296"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
15.23.20053.211670
Total events
2 077
Read events
1 839
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
223
Text files
262
Unknown types
26

Dropped files

PID
Process
Filename
Type
3888AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3888AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3888
MD5:
SHA256:
3888AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3888
MD5:
SHA256:
1328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1328iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF526E570A96955DA9.TMP
MD5:
SHA256:
3888AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rie1w40_s1f4lx_300.tmp
MD5:
SHA256:
1328iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1BC9EBD2AC1DB821.TMP
MD5:
SHA256:
1328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9F71C00E-EE6B-11E9-AB41-5254004A04AF}.dat
MD5:
SHA256:
3340AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lstps
MD5:0D5624ABBF1C79AEC38CBE52B56038B4
SHA256:AB5A46BA09F515E56892C0270D67EED215E56E43557B83A2CE295F2ED87D09D6
3340AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lstps
MD5:00840C859122324DFEA2FFB459B6FD90
SHA256:76A3F28592EE2B3FF9F70A8FA55B0774A2516CAB3A0856B6AC54669A4D364C9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
41
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3340
AcroRd32.exe
GET
304
2.16.186.97:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
3664
iexplore.exe
GET
200
150.95.52.102:80
http://hajimete-futsal.com/wp-admin/css/colors/blue/xl/
JP
compressed
11.3 Kb
malicious
4024
chrome.exe
GET
200
173.194.183.103:80
http://r2---sn-aigl6nek.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigl6nek&ms=nvh&mt=1571048122&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
4024
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
4024
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
4024
chrome.exe
GET
302
216.239.32.21:80
http://virustotal.com/
US
whitelisted
1328
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3692
WScript.exe
GET
200
176.9.8.19:80
http://www.tkweinfelden.ch/templates/td-okini/css/2c.jpg
DE
executable
1.62 Mb
malicious
4024
chrome.exe
GET
200
173.194.183.169:80
http://r4---sn-aigl6ney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigl6ney&ms=nvh&mt=1571048122&mv=m&mvi=3&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
1328
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3340
AcroRd32.exe
2.16.186.97:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3664
iexplore.exe
150.95.52.102:80
hajimete-futsal.com
GMO Internet,Inc
JP
malicious
4024
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
4024
chrome.exe
172.217.18.13:443
accounts.google.com
Google Inc.
US
whitelisted
4024
chrome.exe
172.217.18.99:443
www.gstatic.com
Google Inc.
US
whitelisted
4024
chrome.exe
172.217.22.14:443
clients2.google.com
Google Inc.
US
whitelisted
4024
chrome.exe
172.217.16.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
4024
chrome.exe
172.217.23.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
hajimete-futsal.com
  • 150.95.52.102
malicious
acroipm2.adobe.com
  • 2.16.186.97
  • 2.16.186.57
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 172.217.18.13
shared
www.google.com.ua
  • 216.58.207.35
whitelisted
clients2.google.com
  • 172.217.22.14
whitelisted
fonts.googleapis.com
  • 172.217.18.170
whitelisted
www.gstatic.com
  • 172.217.18.99
whitelisted

Threats

PID
Process
Class
Message
3692
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3692
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3692
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3692
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3096
rad2441E.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
НИКС.pdf