File name: | e69f50a9af4234562cba5ccdfb5d5f53d0b6c032953ca8c0b4e79112572e8256.doc |
Full analysis: | https://app.any.run/tasks/052c376b-e2e0-4df4-8f27-29ae88749142 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | November 15, 2018, 07:21:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/pdf |
File info: | PDF document, version 1.1 |
MD5: | 22B5C5E398D0A92F52956B67196D5AE4 |
SHA1: | 8E23839B82E901BC52EA4713B2655B6D94D7E320 |
SHA256: | E69F50A9AF4234562CBA5CCDFB5D5F53D0B6C032953CA8C0B4E79112572E8256 |
SSDEEP: | 96:SrB2naNCs+6owUJXaR2k7h38iBnQThZEC2B1YOJkNCPSoYD:S928VoHBaPhlhQnECaONCPSND |
| | Adobe Portable Document Format (100) |
PageCount: | 1 |
---|---|
Linearized: | No |
PDFVersion: | 1.1 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3032 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\e69f50a9af4234562cba5ccdfb5d5f53d0b6c032953ca8c0b4e79112572e8256.doc.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | explorer.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
820 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\e69f50a9af4234562cba5ccdfb5d5f53d0b6c032953ca8c0b4e79112572e8256.doc.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
1388 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1nltun1_ui7xdl_ms.tmp\beth.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | AcroRd32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2748 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2568 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3128 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2568.0.2035299735\683465337" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3532 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2568.1.814679365\1720900861" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2904 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
956 | C:\ProgramData\index.exe | C:\ProgramData\index.exe | EQNEDT32.EXE | |
User: admin Company: K-Mart Corp. Integrity Level: MEDIUM Description: AD certmap authentication provider Exit code: 0 Version: 13.8.14.4 | ||||
1484 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB978.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_D669597F-65F0-428A-8341-C9DCEBDF4655.0\E38B1739.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R19z6i3p_ui7xdo_ms.tmp | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1ul27at_ui7xdn_ms.tmp | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R3jfw46_ui7xdq_ms.tmp | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1a25zfe_ui7xdp_ms.tmp | — | |
MD5:— | SHA256:— | |||
820 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1q4o5m0_ui7xdr_ms.tmp | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_D669597F-65F0-428A-8341-C9DCEBDF4655.0\~WRS{B5A9920B-0A20-45C6-844F-BEBAF122585D}.tmp | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_D669597F-65F0-428A-8341-C9DCEBDF4655.0\~WRF{ABC19386-87F8-48A6-853F-08EF2879EE80}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2904 | EQNEDT32.EXE | GET | 200 | 89.46.107.16:80 | http://www.leveleservizimmobiliari.it//bth.exe | IT | executable | 632 Kb | malicious |
3968 | RegAsm.exe | GET | 200 | 104.20.16.242:80 | http://icanhazip.com/ | US | text | 14 b | shared |
3968 | RegAsm.exe | GET | 200 | 104.24.28.29:80 | http://puu.sh/jMSLc.txt | US | text | 28 b | shared |
3032 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
3032 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
3032 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
3032 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
3032 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3648 | bfsvc.exe | 104.24.28.29:443 | puu.sh | Cloudflare Inc | US | shared |
3968 | RegAsm.exe | 104.24.28.29:80 | puu.sh | Cloudflare Inc | US | shared |
3032 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3032 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
3968 | RegAsm.exe | 87.250.250.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
2904 | EQNEDT32.EXE | 89.46.107.16:80 | www.leveleservizimmobiliari.it | Aruba S.p.A. | IT | suspicious |
3968 | RegAsm.exe | 104.20.16.242:80 | icanhazip.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
www.leveleservizimmobiliari.it |
| malicious |
ardownload2.adobe.com |
| whitelisted |
puu.sh |
| shared |
icanhazip.com |
| shared |
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2904 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2904 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3968 | RegAsm.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3968 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Posible Upatre puu.sh double encoded base64 artifact |
Process | Message |
---|---|
index.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
index.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
index.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
index.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
index.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
index.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
index.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
index.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|