analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

slavneft.zakaz.pdf

Full analysis: https://app.any.run/tasks/1929436f-a010-4967-b72a-8dc9ed4eb14a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 11, 2019, 12:06:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: application/pdf
File info: PDF document, version 1.4
MD5:

DE7DE5F956CD50573F4128C0F9DC518E

SHA1:

279B7CD684E8B1E8C146A8FDA765EFF95BD3EBD4

SHA256:

E577944C48EDFC65B6F59630B0B0AC625B997F26AF3D4BDBE2F534BE0FFF6F34

SSDEEP:

384:SbqCDMH6uLJHnPWkm2r+Xbzy1eX1n6BB9QCXinE8CFCgAQdRtf1utCUSUaZ:5HlJ/mi+rzyC16BB9QCX+Vg9zi4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radBEBF2.tmp (PID: 3828)
      • radB9FD6.tmp (PID: 1944)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2648)
    • Changes the autorun value in the registry

      • radBEBF2.tmp (PID: 3828)
    • TROLDESH was detected

      • radBEBF2.tmp (PID: 3828)
    • Deletes shadow copies

      • radBEBF2.tmp (PID: 3828)
    • Runs app for hidden code execution

      • radBEBF2.tmp (PID: 3828)
    • Dropped file may contain instructions of ransomware

      • radBEBF2.tmp (PID: 3828)
    • Actions looks like stealing of personal data

      • radBEBF2.tmp (PID: 3828)
    • Modifies files in Chrome extension folder

      • radBEBF2.tmp (PID: 3828)
  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 2960)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 2472)
    • Executable content was dropped or overwritten

      • radBEBF2.tmp (PID: 3828)
      • WScript.exe (PID: 2648)
      • WScript.exe (PID: 3592)
      • AdobeARM.exe (PID: 2696)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2648)
      • WScript.exe (PID: 3592)
      • radBEBF2.tmp (PID: 3828)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 2696)
      • radBEBF2.tmp (PID: 3828)
    • Executes scripts

      • WinRAR.exe (PID: 2772)
    • Connects to unusual port

      • radBEBF2.tmp (PID: 3828)
    • Creates files in the user directory

      • radBEBF2.tmp (PID: 3828)
    • Application launched itself

      • taskmgr.exe (PID: 3504)
    • Creates files like Ransomware instruction

      • radBEBF2.tmp (PID: 3828)
    • Checks for external IP

      • radBEBF2.tmp (PID: 3828)
  • INFO

    • Application launched itself

      • AcroRd32.exe (PID: 2960)
      • RdrCEF.exe (PID: 2276)
      • iexplore.exe (PID: 3288)
    • Creates files in the user directory

      • iexplore.exe (PID: 4024)
      • AcroRd32.exe (PID: 2960)
    • Changes internet zones settings

      • iexplore.exe (PID: 3288)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3288)
      • iexplore.exe (PID: 4024)
    • Dropped object may contain URL to Tor Browser

      • radBEBF2.tmp (PID: 3828)
    • Dropped object may contain Bitcoin addresses

      • radBEBF2.tmp (PID: 3828)
    • Dropped object may contain TOR URL's

      • radBEBF2.tmp (PID: 3828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PageCount: 1
Title: -
Producer: Qt 4.8.7
ModifyDate: 2019:02:11 13:11:38
ICNAppVersion: 3
ICNAppPlatform: Windows
ICNAppName: Foxit Advanced PDF Editor
Creator: ÿþw(Foxit Advanced PDF Editor)
CreateDate: 2019:01:24 13:16:53+02:00
Linearized: No
PDFVersion: 1.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
24
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe winrar.exe no specs adobearm.exe reader_sl.exe no specs wscript.exe cmd.exe no specs #TROLDESH radbebf2.tmp wscript.exe cmd.exe no specs radb9fd6.tmp taskmgr.exe no specs vssadmin.exe no specs taskmgr.exe vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\slavneft.zakaz.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2316"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\slavneft.zakaz.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2276"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3672"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2276.0.24491002\1698831572" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3712"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2276.1.1128899234\390511194" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3288"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
AcroRd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4024"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3288 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\slavneft.zakaz.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2696"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Version:
1.824.27.2646
2252"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
15.23.20053.211670
Total events
1 973
Read events
1 778
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
1 103
Text files
68
Unknown types
45

Dropped files

PID
Process
Filename
Type
2316AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1A402406E02A9379.TMP
MD5:
SHA256:
2316AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1758v0y_c4w2g2_1sc.tmp
MD5:
SHA256:
2316AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1mvn3wu_c4w2g3_1sc.tmp
MD5:
SHA256:
2316AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rriwwhs_c4w2g4_1sc.tmp
MD5:
SHA256:
2316AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1gq6jos_c4w2g5_1sc.tmp
MD5:
SHA256:
2316AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1pdl2nl_c4w2g6_1sc.tmp
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3C1A297013D4100F.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
26
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/285_15_23_20070.zip
unknown
whitelisted
3592
WScript.exe
GET
304
51.255.235.153:80
http://equiracing.fr/templates/rhuk_milkyway_equiracing/css/messg.jpg
FR
malicious
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
2960
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
4024
iexplore.exe
GET
200
31.31.198.12:80
http://projectmmo.ru/blog/slavneft.zakaz.zip
RU
compressed
3.26 Kb
malicious
3828
radBEBF2.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3288
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3288
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2960
AcroRd32.exe
2.16.186.32:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3828
radBEBF2.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
3828
radBEBF2.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
2648
WScript.exe
51.255.235.153:80
equiracing.fr
OVH SAS
FR
suspicious
23.210.248.251:443
ardownload2.adobe.com
Akamai International B.V.
NL
whitelisted
4024
iexplore.exe
31.31.198.12:80
projectmmo.ru
Domain names registrar REG.RU, Ltd
RU
malicious
3592
WScript.exe
51.255.235.153:80
equiracing.fr
OVH SAS
FR
suspicious
3828
radBEBF2.tmp
95.154.221.121:9001
iomart Cloud Services Limited.
GB
suspicious
3828
radBEBF2.tmp
83.168.200.204:80
Levonline AB
SE
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
projectmmo.ru
  • 31.31.198.12
malicious
acroipm2.adobe.com
  • 2.16.186.32
  • 2.16.186.33
whitelisted
armmf.adobe.com
  • 2.18.233.74
  • 2.21.41.101
whitelisted
equiracing.fr
  • 51.255.235.153
malicious
ardownload2.adobe.com
  • 23.210.248.251
whitelisted
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2648
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2648
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2648
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3828
radBEBF2.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274
3828
radBEBF2.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 651
3828
radBEBF2.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 623
3828
radBEBF2.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 716
3828
radBEBF2.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3828
radBEBF2.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3828
radBEBF2.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Shade/Troldesh Ransomware External IP Check
23 ETPRO signatures available at the full report
No debug info