File name: | OpenInvoiceForReview 112018.pdf |
Full analysis: | https://app.any.run/tasks/9887981c-6814-4550-ab59-77a6dbb866b1 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | December 06, 2018, 01:21:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/pdf |
File info: | PDF document, version 1.6 |
MD5: | D3C73D656E94DD48A1F70B5E8EE988F0 |
SHA1: | CDBBD0C364EFB3060550404B6ECC6B61AF621E20 |
SHA256: | F97EDA1CA795BE2E00B97C7FBF4CDE4DF39A064F06DA81443277C6724FFDA405 |
SSDEEP: | 768:4BufqLjuqgqeVp6EHDjlod+kDY5nZ5I9Tfm2O:titgqVQGDEdAm1 |
| | Adobe Portable Document Format (100) |
Producer: | Adobe Acrobat Pro 11.0.16 Paper Capture Plug-in |
---|---|
InstanceID: | uuid:cda183cc-2a4c-462a-95fd-a8bfb9a68680 |
DocumentID: | uuid:2a324572-0c05-4374-b572-91c7533d8223 |
Format: | application/pdf |
CreatorTool: | Adobe Acrobat 11.0.16 |
MetadataDate: | 2018:12:05 15:39:29+03:00 |
CreateDate: | 2018:12:05 15:00:17+03:00 |
ModifyDate: | 2018:12:05 15:39:29+03:00 |
XMPToolkit: | Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 |
PageCount: | 1 |
---|---|
HasXFA: | No |
Producer: | Adobe Acrobat Pro 11.0.16 Paper Capture Plug-in |
ModifyDate: | 2018:12:05 15:39:29+03:00 |
Creator: | Adobe Acrobat 11.0.16 |
CreateDate: | 2018:12:05 15:00:17+03:00 |
Linearized: | No |
PDFVersion: | 1.6 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\OpenInvoiceForReview 112018.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | explorer.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2276 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\OpenInvoiceForReview 112018.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3216 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2364 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3216.0.1742824632\64729188" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2484 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3216.1.589835419\1021983681" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
4012 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | AcroRd32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2624 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4012 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2188 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 61.0.2 | ||||
2420 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.0.1356537996\709582694" -childID 1 -isForBrowser -prefsHandle 1476 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 1524 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 | ||||
2692 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.6.855016171\1384134805" -childID 2 -isForBrowser -prefsHandle 1892 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 2288 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 |
(PID) Process: | (2276) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
(PID) Process: | (2276) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs |
Operation: | write | Name: | bForms_AdhocWorkflowBackup |
Value: 0 | |||
(PID) Process: | (2276) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs |
Operation: | write | Name: | bJSCache_GlobData |
Value: 1 | |||
(PID) Process: | (2276) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs |
Operation: | write | Name: | bJSCache_GlobSettings |
Value: 0 | |||
(PID) Process: | (2276) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral |
Operation: | write | Name: | bExpandRHPInViewer |
Value: 1 | |||
(PID) Process: | (4012) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (4012) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (4012) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (4012) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (4012) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2276 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
4012 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
4012 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2624 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].txt | — | |
MD5:— | SHA256:— | |||
2276 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1b1vcri_13xl23c_1r8.tmp | — | |
MD5:— | SHA256:— | |||
2276 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rxo65q9_13xl23b_1r8.tmp | — | |
MD5:— | SHA256:— | |||
2276 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R108fmye_13xl23a_1r8.tmp | — | |
MD5:— | SHA256:— | |||
2276 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rjvs0cg_13xl239_1r8.tmp | — | |
MD5:— | SHA256:— | |||
2276 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rvzml2y_13xl23d_1r8.tmp | — | |
MD5:— | SHA256:— | |||
2188 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
2188 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2188 | firefox.exe | GET | 200 | 2.16.186.56:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 55.2 Kb | whitelisted |
2188 | firefox.exe | POST | 200 | 72.247.178.16:80 | http://ocsp.int-x3.letsencrypt.org/ | NL | der | 527 b | whitelisted |
2188 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2188 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2964 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
4012 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2624 | iexplore.exe | 195.123.212.248:443 | adobeupdate.co | ITL Company | LV | unknown |
2964 | AcroRd32.exe | 23.210.248.251:443 | armmf.adobe.com | Akamai International B.V. | NL | whitelisted |
2188 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2188 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2188 | firefox.exe | 34.208.7.98:443 | tiles.r53-2.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2188 | firefox.exe | 52.27.184.151:443 | search.r53-2.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2188 | firefox.exe | 52.222.159.245:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2188 | firefox.exe | 34.251.59.153:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
adobeupdate.co |
| malicious |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2188 | firefox.exe | unknown | SURICATA IPv4 invalid checksum |