Loading ...

Analysis Report EnhancedDueDiligenceReportCatalogue.pdf

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102800
Start date:11.01.2019
Start time:19:24:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:EnhancedDueDiligenceReportCatalogue.pdf
Cookbook file name:defaultwindowspdfcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winPDF@19/8@0/1
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .pdf
  • Found PDF document
  • Find and activate links
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold00 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat



Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Signature Overview

Click to jump to signature section


Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 3.3.0.2 3.3.0.2
Urls found in memory or binary dataShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: EnhancedDueDiligenceReportCatalogue.pdfString found in binary or memory: http://www.masterfile.com
Source: EnhancedDueDiligenceReportCatalogue.pdfString found in binary or memory: http://www.northplains.com/xmpnps/cov/1.0/

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean0.winPDF@19/8@0/1
Clickable URLs found in PDFShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: http://risk.thomsonreuters.com/contact-sales
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: https://risk.thomsonreuters.com/products/thomson-reuters-enhanced-due-diligence
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: http://risk.thomsonreuters.com
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIconsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1skwldr_b9j6gd_3t8.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\EnhancedDueDiligenceReportCatalogue.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\EnhancedDueDiligenceReportCatalogue.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=23C1617B868C61F192D835F8CE28DA3B --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F3F587BF9E3915979D1A99CD6CD829A4 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=87AC9892CC2F39F367AC680BD47940B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=57627A1E618870AA1826E406858C8655 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=2D83BD07E30836F8062A50AFC5D15A78 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe' /PRODUCT:Reader /VERSION:19.0 /MODE:3
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=0C05DA2149E4DA446DA2C924ACC714C2 --mojo-platform-channel-handle=2820 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\EnhancedDueDiligenceReportCatalogue.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe' /PRODUCT:Reader /VERSION:19.0 /MODE:3Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=23C1617B868C61F192D835F8CE28DA3B --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F3F587BF9E3915979D1A99CD6CD829A4 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=87AC9892CC2F39F367AC680BD47940B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=57627A1E618870AA1826E406858C8655 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=2D83BD07E30836F8062A50AFC5D15A78 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=0C05DA2149E4DA446DA2C924ACC714C2 --mojo-platform-channel-handle=2820 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Writes ini filesShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeFile written: C:\Users\user\AppData\Local\Temp\ArmUI.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
PDF has a JavaScript or JS counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword /JavaScript count = 0
PDF has a Page (number of pages) counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword /Page count = 18
PDF has a stream counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword stream count = 459
PDF has an EmbeddedFile counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
PDF has an ObjStm (object streams) counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword /ObjStm count = 29
PDF has an endobj counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword endobj count = 479
PDF has an endstream counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword endstream count = 459
PDF has an obj counter value indicative of goodwareShow sources
Source: EnhancedDueDiligenceReportCatalogue.pdfInitial sample: PDF keyword obj count = 479

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 102800 Sample: EnhancedDueDiligenceReportCatalogue.pdf Startdate: 11/01/2019 Architecture: WINDOWS Score: 0 6 AcroRd32.exe 15 36 2->6         started        process3 8 RdrCEF.exe 5 6->8         started        10 AcroRd32.exe 3 8 6->10         started        12 AdobeARM.exe 16 6->12         started        process4 14 RdrCEF.exe 8->14         started        17 RdrCEF.exe 8->17         started        19 RdrCEF.exe 8->19         started        21 3 other processes 8->21 dnsIp5 23 3.3.0.2 AS3215FR United States 14->23

Simulations

Behavior and APIs

TimeTypeDescription
19:25:26API Interceptor1x Sleep call for process: AcroRd32.exe modified
19:25:35API Interceptor1x Sleep call for process: RdrCEF.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
EnhancedDueDiligenceReportCatalogue.pdf0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.northplains.com/xmpnps/cov/1.0/0%virustotalBrowse
http://www.northplains.com/xmpnps/cov/1.0/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
3.3.0.2Payment Advice Note#1543338742.pdfbe21dd8db8cdae7d7989b2cc9672988ee1a4e8aea0d88c8cfe1be04927d3eecemaliciousBrowse
    Proposal.pdf68f1fd67b813985caa16c6bdad1db9e8fe087030c5748d974dfe3c76daaccad8maliciousBrowse
      payment copy.pdffd53ce2f773beece93671e8ec5b0027d67ee2510e11ad3160c10d9f7e2580660maliciousBrowse
        rapidFax message 2.pdf8407d25c2f6f8a85e9cb58429228781318335e9b935de14e2a26a7e9c0792f10maliciousBrowse
          Doc.pdfdaf8f3dfbf67c134d00b689d402fb9b3cc4d89a000f86f616a40bf6ec834616emaliciousBrowse
            Quotation189.pdf79a73810716480818011557cdccf70f87b93981c9b9e298d973aaf014aa12e19maliciousBrowse
              Info Alexander.pdf86b004fcc7acd595d4b6dffaf47ba03a1c7f0256a9a78c1d407cfadd4725a73emaliciousBrowse
                Crowley_Proposal.pdf4231a456519c8f841f4333b88f52a555127462bd54c626f519390b6c2d07387amaliciousBrowse
                  Finance Projects.pdf13c008e812f73ebf02dc24da2c2fa298048830b1d51c134c58f0b95e0023eb80maliciousBrowse
                    WestpacOne#Statement.pdf508afb1adc09e6df7413af2b848ff78dda8aa3b0f153a7463b57317c1a900457maliciousBrowse
                      TripAdvisorForm.exedca4d8e1476ffcdc42a1ec2e6c60b9bdc8119a590f26cb831630f5bbeba3002fmaliciousBrowse
                        sample.pdf9ed1e32e5eab69114724dc84403264122763a33e68499f284377c22ce822e6e7maliciousBrowse
                          BACS_img_95083423487.pdfb2a1c44eaa21b3e7c8fcfcb96bfceb5e70851c92f2ff26677bd89c068576577emaliciousBrowse
                            DOC1212122211111.pdf3a8c9a91be0a17ad992ed216c07a3b33f367f7c380b77d04f847570b5db6a647maliciousBrowse
                              DOC-98524533970.pdfd99c179d39e50c8c700e6cec4e80207a5344846293db54967e5bf8bbf4a30518maliciousBrowse
                                90231 TSIHVAC.pdf6992b819c9ef56cee3d4f8f62eebcee9bc72f6fce3795c67fce359ec4edd3a2fmaliciousBrowse
                                  waltonsignage.INVOICE.pdf53f5b834bea860e4e0ba9d1feac55ce760e5296b627a537b92c101d3d647b56dmaliciousBrowse
                                    OpenInvoiceForReview 112018.pdff97eda1ca795be2e00b97c7fbf4cde4df39a064f06da81443277c6724ffda405maliciousBrowse
                                      LACFE Newsletter-December-2018.pdf9c169175f0ff6a831575fd731ac5fed105b1e95f826b857ab16ee50b46d4ee3fmaliciousBrowse
                                        INV 383000.pdfed6ab84ef32af41d93477197463809a742b2bf3067f6217d3eca1b9c3bb9c0fdmaliciousBrowse

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          AS3215FR130448_svchost.exee3a9a6d84ef446bb16eeaa82a146e32a372d20632afd771ddee95346824b7a6emaliciousBrowse
                                          • 3.4.2.2
                                          a2.ex.exe8f918b9f4f5f973cb02c14e4d98f8d4aa56ab70141845fcb97a77cd13abe1fbfmaliciousBrowse
                                          • 90.47.114.206
                                          Prolific-AllNTx64x86-3.8.12.0-dr.execf22cace885025fb98ff4bf5bca9b309516575a9480984d973093ecc9870d556maliciousBrowse
                                          • 3.8.12.0
                                          ipttySetup v2.0.3.3.exeb02fe74bef718f69fedb1b77ba408ddf95af23c465ee2f0257b87f064e14b260maliciousBrowse
                                          • 2.0.3.3
                                          mssecsvc.exe18bd1ec8848143748963b56b3c5a44a02e1dcadd5fbc812fc8f48b2df039157cmaliciousBrowse
                                          • 86.234.34.220
                                          41Lette.exe7eafa89e1cff6f7f7b0223221b14aa05ccc09951618ad9a059b91b14777f20b4maliciousBrowse
                                          • 194.206.15.194
                                          7mail.doc .exe05411152bd660ec3bc75cc64978802ae4e8e96d472212d12852f9228a0f11c66maliciousBrowse
                                          • 3.0.0.0
                                          .exee2a28ce609edea512313a668d0c4d764b7f9901c3c7f1321924dde4b9552ef36maliciousBrowse
                                          • 80.15.114.183
                                          27fil.exebe53012bd0676864340a04a8d2a8689848280308b52d2b10df8b54d65135d766maliciousBrowse
                                          • 194.206.15.194
                                          mssecsvr.exe458d19c4e0d41353ade3b5eb94815436ac911ad13c2fa525f753d5ef182f417fmaliciousBrowse
                                          • 90.92.8.32
                                          Microsoftupdater.exe4966995948c5710a64d5c8f8d2647077b5caddcd172a0ff49c9b918f687a575bmaliciousBrowse
                                          • 3.3.3.3
                                          3transcrip.exe99d773d4caf4f57a6fba7d6d86a5b670fdd0cc818ef9b614e19d4652460b3194maliciousBrowse
                                          • 2.0.0.2
                                          http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/224243980.TTAB02.1/nsis/866612-TTAB02.1/180517193159571/msniFreeRadioCast/FreeRadioCast.8b1c67dd2afc49e5b99810ae116eaaf1.exemaliciousBrowse
                                          • 2.7.1.30
                                          1.exe807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7dmaliciousBrowse
                                          • 90.16.128.4
                                          21attachmen.exec3b24995207e332bd50711456706d2eecc6489262c807ceddf727ada52fa321dmaliciousBrowse
                                          • 80.15.114.183
                                          27Label_00384463.doc.js1c2aaf64c7bb699ea7a7fe4f103d060b0e1f5064f996cbd0ac4144eb1583b533maliciousBrowse
                                          • 90.90.188.169
                                          dark.arm85e986f7eb9811fab1ea0ef3ba82409ee088d85aded37fe1472b6ab9fed00f35maliciousBrowse
                                          • 90.27.116.132
                                          21Skan.PDF.js7576343c3240e4680b96e0645d3f41a3387f421d8a9ff3bba6ce6a4e70bdb8b8maliciousBrowse
                                          • 90.112.16.97
                                          36Skan.PDF.js7bf1d6cd4225642c5ef8433d2349b48be9fb6f4a30f9508f183b7b0e637e3d8emaliciousBrowse
                                          • 90.112.16.97
                                          Payment Advice Note#1543338742.pdfbe21dd8db8cdae7d7989b2cc9672988ee1a4e8aea0d88c8cfe1be04927d3eecemaliciousBrowse
                                          • 3.3.0.2

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.