analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Soda_PDF_6_Installer.exe

Full analysis: https://app.any.run/tasks/ca377ad7-42b1-471e-8f93-cde34ca0b508
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 21, 2019, 01:12:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
PUA
Lulu
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AF71FB9E57248DA7EA50999B85394147

SHA1:

E9F86405B764E40D571EAE91E82844B0C56E85B0

SHA256:

E72717ABCBCA323E60C3B5E3BF685967D0707A2492E6C14099B81C0B93BC191C

SSDEEP:

196608:x3247Rar3qw6aYqRC2HbFyuA9+NoYc+Z04cp4ArqNjeBEp2NJXCS8ZBlyAv0RbI:bYRCFVZYc+ZJc7rqNBp2NJToBUbI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • Soda_PDF_6_Installer.exe (PID: 2276)

    • Loads dropped or rewritten executable

      • Soda_PDF_6_Installer.exe (PID: 2276)
      • regsvr32.exe (PID: 1304)
      • ws.exe (PID: 3212)
      • crash-handler-ws.exe (PID: 1440)
      • MsiExec.exe (PID: 2468)
      • MsiExec.exe (PID: 2788)
      • MsiExec.exe (PID: 2228)

    • Downloads executable files from the Internet

      • Soda_PDF_6_Installer.exe (PID: 2276)

    • Application was dropped or rewritten from another process

      • Soda Manager.exe (PID: 3288)
      • Soda Manager.exe (PID: 184)
      • crash-handler-ws.exe (PID: 1440)
      • ws.exe (PID: 3212)

    • Changes settings of System certificates

      • msiexec.exe (PID: 2796)

  • SUSPICIOUS

    • Starts itself from another location

      • Soda_PDF_6_Installer.exe (PID: 2276)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 1304)
      • MsiExec.exe (PID: 2468)
      • MsiExec.exe (PID: 2228)
      • MsiExec.exe (PID: 2788)

    • Executable content was dropped or overwritten

      • Soda_PDF_6_Installer.exe (PID: 2276)
      • msiexec.exe (PID: 2796)

    • Creates files in the program directory

      • Soda_PDF_6_Installer.exe (PID: 2276)

    • Executed as Windows Service

      • vssvc.exe (PID: 2736)
      • Soda Manager.exe (PID: 184)

    • Executed via COM

      • DrvInst.exe (PID: 2544)
      • DrvInst.exe (PID: 1796)
      • DrvInst.exe (PID: 1412)
      • DrvInst.exe (PID: 676)
      • DrvInst.exe (PID: 3324)
      • DrvInst.exe (PID: 3540)
      • DrvInst.exe (PID: 2244)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 2796)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2796)

    • Creates a software uninstall entry

      • Soda_PDF_6_Installer.exe (PID: 2276)

    • Adds / modifies Windows certificates

      • msiexec.exe (PID: 2796)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2796)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2736)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2544)
      • DrvInst.exe (PID: 676)

    • Application launched itself

      • msiexec.exe (PID: 2796)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 2544)
      • DrvInst.exe (PID: 676)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 2796)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2796)

    • Creates files in the program directory

      • msiexec.exe (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ax | DirectShow filter (53.2)
.odttf | Obfuscated subsetted Font (13.7)
.exe | Win32 Executable (generic) (1.1)
.exe | Generic Win/DOS Executable (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:09 15:46:47+01:00
PEType: PE32
LinkerVersion: 10
CodeSize: 4476416
InitializedDataSize: 5869568
UninitializedDataSize: -
EntryPoint: 0x3c4fd4
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.5.22.26218
ProductVersionNumber: 6.5.22.26218
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: LULU Software Limited
FileDescription: Soda PDF 6 Installer
FileVersion: 6.5.22.26218
InternalName: PDF Installer.exe
LegalCopyright: © "LULU Software Limited" 2010-2013. All rights reserved.
OriginalFileName: PDF Installer.exe
ProductName: Soda PDF 6 Installer
ProductVersion: 6.5.22.26218

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Dec-2015 14:46:47
Detected languages:
  • English - United States
  • Russian - Russia
TLS Callbacks: 1 callback(s) detected.
Debug artifacts:
  • W:\TemporaryBuilds\29\166\src\Trunk\_bin\Win32\Release\GlamInstallerCom\GlamInstallerCom.pdb
CompanyName: LULU Software Limited
FileDescription: Soda PDF 6 Installer
FileVersion: 6.5.22.26218
InternalName: PDF Installer.exe
LegalCopyright: © "LULU Software Limited" 2010-2013. All rights reserved.
OriginalFilename: PDF Installer.exe
ProductName: Soda PDF 6 Installer
ProductVersion: 6.5.22.26218

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 09-Dec-2015 14:46:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00444D80
0x00444E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.67336
.rdata
0x00446000
0x000E3C06
0x000E3E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.38831
.data
0x0052A000
0x00048EA4
0x00030200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.57987
.tls
0x00573000
0x00000002
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00574000
0x00423D90
0x00423E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.06646
.reloc
0x00998000
0x00060FE6
0x00061000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.98372

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13457
560
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.23411
4264
Latin 1 / Western European
English - United States
RT_ICON
3
3.90074
9640
Latin 1 / Western European
English - United States
RT_ICON
4
3.04588
308
Latin 1 / Western European
English - United States
RT_CURSOR
5
2.63031
308
Latin 1 / Western European
English - United States
RT_CURSOR
6
2.1867
308
Latin 1 / Western European
English - United States
RT_CURSOR
7
1.78405
64
Latin 1 / Western European
English - United States
RT_STRING
13
1.8271
64
Latin 1 / Western European
Russian - Russia
RT_STRING
101
2.79248
12
Latin 1 / Western European
English - United States
REGISTRY
106
5.32964
477
Latin 1 / Western European
Russian - Russia
REGISTRY

Imports

ADVAPI32.dll (delay-loaded)
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
22
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start soda_pdf_6_installer.exe no specs soda_pdf_6_installer.exe soda_pdf_6_installer.exe no specs regsvr32.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs soda manager.exe no specs soda manager.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs crash-handler-ws.exe no specs ws.exe no specs msiexec.exe no specs drvinst.exe no specs drvinst.exe no specs drvinst.exe no specs drvinst.exe no specs drvinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2476"C:\Users\admin\AppData\Local\Temp\Soda_PDF_6_Installer.exe" C:\Users\admin\AppData\Local\Temp\Soda_PDF_6_Installer.exeexplorer.exe
User:
admin
Company:
LULU Software Limited
Integrity Level:
MEDIUM
Description:
Soda PDF 6 Installer
Exit code:
3221226540
Version:
6.5.22.26218
2276"C:\Users\admin\AppData\Local\Temp\Soda_PDF_6_Installer.exe" C:\Users\admin\AppData\Local\Temp\Soda_PDF_6_Installer.exe
explorer.exe
User:
admin
Company:
LULU Software Limited
Integrity Level:
HIGH
Description:
Soda PDF 6 Installer
Version:
6.5.22.26218
2700"C:\ProgramData\Soda PDF 6\Installation\Soda_PDF_6_Installer.exe" /RegServerC:\ProgramData\Soda PDF 6\Installation\Soda_PDF_6_Installer.exeSoda_PDF_6_Installer.exe
User:
admin
Company:
LULU Software Limited
Integrity Level:
HIGH
Description:
Soda PDF 6 Installer
Exit code:
0
Version:
6.5.22.26218
1304regsvr32.exe /s "C:\ProgramData\Soda PDF 6\Installation\Statistics.dll"C:\Windows\system32\regsvr32.exeSoda_PDF_6_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2796C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2736C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000004AC" "00000334"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2520C:\Windows\system32\MsiExec.exe -Embedding D905221281A1CF437DE1F3381BA7F851 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3288"C:\ProgramData\LULU Software\Soda PDF 6 Manager\Soda PDF 6\Soda Manager.exe" -serviceC:\ProgramData\LULU Software\Soda PDF 6 Manager\Soda PDF 6\Soda Manager.exeMsiExec.exe
User:
SYSTEM
Company:
LULU Software Limited
Integrity Level:
SYSTEM
Description:
Messenger service
Exit code:
0
Version:
8.1.0.0
184"C:\ProgramData\LULU Software\Soda PDF 6 Manager\Soda PDF 6\Soda Manager.exe"C:\ProgramData\LULU Software\Soda PDF 6 Manager\Soda PDF 6\Soda Manager.exeservices.exe
User:
SYSTEM
Company:
LULU Software Limited
Integrity Level:
SYSTEM
Description:
Messenger service
Version:
8.1.0.0
Total events
7 376
Read events
5 111
Write events
0
Delete events
0

Modification events

No data
Executable files
118
Suspicious files
240
Text files
719
Unknown types
7

Dropped files

PID
Process
Filename
Type
2276Soda_PDF_6_Installer.exeC:\ProgramData\Soda PDF 6\Installation\statistic.xml.zip
MD5:
SHA256:
2796msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2276Soda_PDF_6_Installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ipservice[1].asmxxml
MD5:AEFA2B960E6B65B34DFEECAA6123FADA
SHA256:11B300C1146388B6C4F2E75B3002267F606CC38FA8DC0F867E1801F2EDAF812D
2796msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:871FA3E4541F66E6CE2CB48F980FC094
SHA256:D3610229E3E2D037787963D5D9276CD1FC56CB36A863D351CDA55447D7BE1E00
2276Soda_PDF_6_Installer.exeC:\ProgramData\Soda PDF 6\Installation\statistic.xmlcompressed
MD5:C3F79DE69E7C3308C525EFE1BC676E1E
SHA256:6032C5F736B15E73B80FF041BEB4880B66536BA450C16564F72067A33326336F
2276Soda_PDF_6_Installer.exeC:\ProgramData\Soda PDF 6\Installation\Soda_Manager_Setup_6.0.0.0.msiexecutable
MD5:B3192CC5158A2C3DED4203AC766E2CBD
SHA256:2C9919DC5B70889CA8E92AE5AB81DEC1E3091B5B9FB7F4BC8A6CB5442E54C5B5
2276Soda_PDF_6_Installer.exeC:\ProgramData\Soda PDF 6\Installation\Statistics.dllexecutable
MD5:087F781B6A7E905ABE2D5D97CE76CCF5
SHA256:3DD28C781E85B40A177B30F5476E67E1F42D289144B2EDD1D7D5A059E7749CAE
2544DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:175D340E919081B47932D86D936DD7D6
SHA256:AE8C75817A9821F4EE13F4344AB8864E27CD63E4BA91E6E56F92AAE6DC40674D
2544DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
2276Soda_PDF_6_Installer.exeC:\ProgramData\Soda PDF 6\Installation\Soda_PDF_6_Installer.exeexecutable
MD5:AF71FB9E57248DA7EA50999B85394147
SHA256:E72717ABCBCA323E60C3B5E3BF685967D0707A2492E6C14099B81C0B93BC191C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
97
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2276
Soda_PDF_6_Installer.exe
HEAD
200
64.15.159.204:80
http://redamex.sodapdf.com/sodapdf6/6.5.6.26201/soda6-startup-6.5.6.26201.msi
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.203:80
http://cdn.lulusoft.com/download/sodapdf/sodapdf6/main
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.203:80
http://cdn.lulusoft.com/download/sodapdf/sodapdf6/main
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
200
64.15.159.204:80
http://redamex.sodapdf.com/sodapdf6/6.5.6.26201/soda6-review-module-6.5.6.26201.msi
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.202:80
http://download6.sodapdf.com/module/main
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
200
64.15.159.204:80
http://redamex.sodapdf.com/sodapdf6/6.5.6.26201/soda6-startup-6.5.6.26201.msi
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.202:80
http://download6.sodapdf.com/module/forms
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.203:80
http://cdn.lulusoft.com/download/sodapdf/sodapdf6/insert
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.202:80
http://download6.sodapdf.com/module/main
CA
suspicious
2276
Soda_PDF_6_Installer.exe
HEAD
302
64.15.159.203:80
http://cdn.lulusoft.com/download/sodapdf/sodapdf6/review
CA
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
64.15.159.204:80
redamex.sodapdf.com
iWeb Technologies Inc.
CA
suspicious
2276
Soda_PDF_6_Installer.exe
64.15.159.202:80
download6.sodapdf.com
iWeb Technologies Inc.
CA
suspicious
2276
Soda_PDF_6_Installer.exe
64.15.159.203:80
update.lulusoft.com
iWeb Technologies Inc.
CA
suspicious
2276
Soda_PDF_6_Installer.exe
64.15.159.204:80
redamex.sodapdf.com
iWeb Technologies Inc.
CA
suspicious
2276
Soda_PDF_6_Installer.exe
104.17.177.102:80
webcompanion.com
Cloudflare Inc
US
shared
2796
msiexec.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
update.lulusoft.com
  • 64.15.159.203
suspicious
wsgeoip.lulusoft.com
  • 64.15.159.203
suspicious
download6.sodapdf.com
  • 64.15.159.202
unknown
cdn.lulusoft.com
  • 64.15.159.203
suspicious
redamex.sodapdf.com
  • 64.15.159.204
suspicious
webcompanion.com
  • 104.17.177.102
  • 104.17.178.102
malicious
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted

Threats

PID
Process
Class
Message
2276
Soda_PDF_6_Installer.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Lookup (lulusoft.com)
2276
Soda_PDF_6_Installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2276
Soda_PDF_6_Installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Soda_PDF_6_Installer.exe