analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

514350.pdf

Full analysis: https://app.any.run/tasks/ae34fe20-1a5c-4011-b6e3-b8e2ec21220a
Verdict: Malicious activity
Analysis date: November 14, 2018, 14:16:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
evasion
Indicators:
MIME: application/pdf
File info: PDF document, version 1.4
MD5:

4F2358CC71B8E559158143827A78929F

SHA1:

CFFDC59BB2019E54455F36C57DE63E1E6A65FF1C

SHA256:

C805B2D1327E1DC891B5EDF8855C35ACA6F1CA510FD73F07651703B72DF5D901

SSDEEP:

768:n9YpBQ79JnorxngYyv5+Q+14x5uw4kP/qLdWkbNR4:n9phT5+Q+1W5uDkKr4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 940)
      • cmd.exe (PID: 1112)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3384)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3384)
    • Application was dropped or rewritten from another process

      • tmp614.exe (PID: 1396)
      • tmp714.exe (PID: 1836)
      • tmp714.exe (PID: 3424)
    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 1364)
      • cmd.exe (PID: 1672)
    • Known privilege escalation attack

      • DllHost.exe (PID: 124)
    • Loads the Task Scheduler COM API

      • tmp714.exe (PID: 1836)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • chrome.exe (PID: 3796)
      • WINWORD.EXE (PID: 3384)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 624)
      • tmp714.exe (PID: 3424)
    • Creates files in the user directory

      • powershell.exe (PID: 3196)
      • tmp614.exe (PID: 1396)
      • powershell.exe (PID: 3596)
      • powershell.exe (PID: 2200)
      • powershell.exe (PID: 2124)
    • Application launched itself

      • WINWORD.EXE (PID: 3384)
    • Executable content was dropped or overwritten

      • tmp614.exe (PID: 1396)
      • powershell.exe (PID: 3596)
      • AdobeARM.exe (PID: 624)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3196)
      • tmp614.exe (PID: 1396)
      • tmp714.exe (PID: 1836)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 3136)
  • INFO

    • Application launched itself

      • RdrCEF.exe (PID: 4076)
      • iexplore.exe (PID: 2932)
      • AcroRd32.exe (PID: 4080)
      • chrome.exe (PID: 3796)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3284)
      • chrome.exe (PID: 3796)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3284)
    • Changes internet zones settings

      • iexplore.exe (PID: 2932)
    • Creates files in the user directory

      • iexplore.exe (PID: 3284)
      • iexplore.exe (PID: 2932)
      • WINWORD.EXE (PID: 3384)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3384)
      • WINWORD.EXE (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion: 1.4
Linearized: No
PageCount: 2
Producer: iTextSharp™ 5.5.12 ©2000-2017 iText Group NV (AGPL-version)
CreateDate: 2018:10:04 10:08:28+01:00
ModifyDate: 2018:10:04 10:08:28+01:00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
44
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe adobearm.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe no specs cmd.exe no specs powershell.exe tmp614.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs sc.exe no specs CMSTPLUA no specs tmp714.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs tmp714.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4080"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\514350.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3632"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\514350.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
4076"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3852"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="4076.0.1560614162\1499289384" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2432"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="4076.1.1538690543\1514037696" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2932"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3284"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
624"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Version:
1.824.27.2646
3796"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
4016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701900b0,0x701900c0,0x701900ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
Total events
5 009
Read events
4 208
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
79
Text files
115
Unknown types
20

Dropped files

PID
Process
Filename
Type
3632AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Ral0fn2_1suahqu_2sw.tmp
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1jjsktl_1suahqt_2sw.tmp
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R19z6i3p_1suahqw_2sw.tmp
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1ul27at_1suahqv_2sw.tmp
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rq69prn_1suahqx_2sw.tmp
MD5:
SHA256:
624AdobeARM.exeC:\Users\admin\AppData\Local\Temp\Tmp2E3A.tmp
MD5:
SHA256:
624AdobeARM.exeC:\Users\admin\AppData\Local\Temp\Tmp2E4B.tmp
MD5:
SHA256:
3632AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagessqlite
MD5:71289F8F8D3000638A846F994C51E52B
SHA256:A67239B25EF289BB16B95FEB12A1D0A77FEF6772CD26901970BCE3116D81FCB9
624AdobeARM.exeC:\ProgramData\Adobe\ARM\ArmReport.initext
MD5:A5DEEE52B298967638B05DC479DEF3A9
SHA256:932AD7D7735EABDDCECD281D859DF90619225C5FF6D3D5C717B4BCBAE46B094D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
50
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4080
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
4080
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
4080
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
2932
iexplore.exe
GET
204.79.197.200:80
http://www.bing.com/favicon.ico
US
whitelisted
4080
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
4080
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
3796
chrome.exe
GET
200
67.26.139.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
54.4 Kb
whitelisted
3596
powershell.exe
GET
148.72.54.13:80
http://lloydsbankonline.co.uk/docs.lloyds
US
suspicious
3796
chrome.exe
GET
200
52.214.133.244:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFHPaWvoj2T%2B6hC4KIPQBydhuJPxd
IE
der
1.78 Kb
whitelisted
3796
chrome.exe
GET
200
67.26.139.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt
US
der
993 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
chrome.exe
216.58.215.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
2932
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4080
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3284
iexplore.exe
148.72.54.13:443
lloydsbankonline.co.uk
US
suspicious
3796
chrome.exe
172.217.168.3:443
www.google.de
Google Inc.
US
whitelisted
4080
AcroRd32.exe
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3796
chrome.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
3796
chrome.exe
172.217.168.4:443
www.google.com
Google Inc.
US
whitelisted
3796
chrome.exe
172.217.168.13:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
lloydsbankonline.co.uk
  • 148.72.54.13
suspicious
ardownload2.adobe.com
  • 2.18.233.74
whitelisted
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
www.gstatic.com
  • 216.58.215.227
whitelisted
www.google.de
  • 172.217.168.3
whitelisted
safebrowsing.googleapis.com
  • 216.58.215.234
whitelisted
accounts.google.com
  • 172.217.168.13
shared

Threats

PID
Process
Class
Message
3596
powershell.exe
Misc activity
ET INFO Packed Executable Download
3596
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3596
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1 ETPRO signatures available at the full report
No debug info