Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sample.zip

Zip archive data, at least v4.5 to extract, compression method=deflate

initial sample

Details

Filetype:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy:	7.999977856535126
Filename:	sample.zip
Filesize:	8281127
MD5:	4005a02a0c6cb5c3788e2db26c550e42
SHA1:	ec3b62c152af665afeb22a7723a1e0ab4edf8605
SHA256:	a8169538a9e5a7d6fd996e04f3688a992590f84421c0d4a1e56cfdba413eb7c7
SHA512:	2d911a6867c1ac6a0c82c8768dd7fdc64638de7478a83986a7df53ae58e712349de40f86b404da0c7b774d1582d72694db0e733fb08d70dd6f28ac8bf12c084a
SSDEEP:	196608:mriwijy95p6tF6waHa1RJiUfoGvShq4+INpMi2ijDU3yEt66dy:m2wRbIEkf16Lpz0izZ
Preview:	PK..-.........6.i?.Y~.....=...Device/HarddiskVolume3/Users/aiciaboyd/Downloads/PDFixers.exe......................5u.!N..By........z....x...n$)....aw...\|.m..(.f.x...a.A6.. ..y.,4.F....$[.<MI.<.r....Z....*.A.U..p.3PuT....1Oti...g9.....a.....=8GL}zm...a..B..

Signature Hits	Behavior Group	Mitre Attack
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HAYXG4SY\LMPPM1MU.htm

HTML document, ASCII text, with very long lines (10298), with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HAYXG4SY\LMPPM1MU.htm
Category:	dropped
Dump:	LMPPM1MU.htm.13.dr
ID:	dr_3
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	HTML document, ASCII text, with very long lines (10298), with CRLF line terminators
Entropy:	5.603743586082438
Encrypted:	false
Size:	33684
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LBJSHBRP\css2[1].css

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LBJSHBRP\css2[1].css
Category:	dropped
Dump:	css2[1].css.13.dr
ID:	dr_5
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	ASCII text
Entropy:	5.565724594514051
Encrypted:	false
Size:	306
Whitelisted:	false

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LBJSHBRP\email-decode.min[1].js

HTML document, ASCII text, with very long lines (1238)

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LBJSHBRP\email-decode.min[1].js
Category:	dropped
Dump:	email-decode.min[1].js.13.dr
ID:	dr_4
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	HTML document, ASCII text, with very long lines (1238)
Entropy:	5.068464054671174
Encrypted:	false
Size:	1239
Whitelisted:	false

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MX73DBBW\font[1].eot

Embedded OpenType (EOT), Nunito Sans 12pt Light family

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MX73DBBW\font[1].eot
Category:	dropped
Dump:	font[1].eot.13.dr
ID:	dr_6
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	Embedded OpenType (EOT), Nunito Sans 12pt Light family
Entropy:	7.965514187975993
Encrypted:	false
Size:	43569
Whitelisted:	false

C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF-3.5.2-64.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF-3.5.2-64.exe
Category:	dropped
Dump:	SumatraPDF-3.5.2-64.exe.13.dr
ID:	dr_1
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.0278259579196165
Encrypted:	false
Size:	16065496
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Drops PE files	Persistence and Installation Behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Searches for user specific document files	Stealing of Sensitive Information	Data from Local System File and Directory Discovery
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Executable creates window controls seldom found in malware	System Summary

C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF-settings.txt

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF-settings.txt
Category:	dropped
Dump:	SumatraPDF-settings.txt.16.dr
ID:	dr_7
Target ID:	16
Process:	C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF-3.5.2-64.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	5.182086908460794
Encrypted:	false
Size:	1900
Whitelisted:	false

C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Roaming\SumatraPDF\SumatraPDF.zip
Category:	dropped
Dump:	SumatraPDF.zip.13.dr
ID:	dr_0
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.998709533933773
Encrypted:	true
Size:	8243933
Whitelisted:	false

C:\Users\user\Desktop\SumatraPDF.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Apr 18 16:16:38 2024, mtime=Thu Apr 18 16:16:38 2024, atime=Wed Oct 25 05:17:54 2023, length=16065496, window=hide

dropped

Details

File:	C:\Users\user\Desktop\SumatraPDF.lnk
Category:	dropped
Dump:	SumatraPDF.lnk.13.dr
ID:	dr_2
Target ID:	13
Process:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Apr 18 16:16:38 2024, mtime=Thu Apr 18 16:16:38 2024, atime=Wed Oct 25 05:17:54 2023, length=16065496, window=hide
Entropy:	5.031363836483372
Encrypted:	false
Size:	961
Whitelisted:	false

Domains

Name

Malicious

pixel.pdfixers.com

172.67.147.142

Details

Name:	pixel.pdfixers.com
IP:	172.67.147.142
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

142.250.105.94

unknown

United States

172.67.147.142

pixel.pdfixers.com

United States

Details

IP:	172.67.147.142
TargetID:	13
Current Path:	C:\Users\user\Desktop\sample\Device\HarddiskVolume3\Users\aiciaboyd\Downloads\PDFixers.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pixel.pdfixers.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.253.124.95

unknown

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sample.zip

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsample.zip

Files

Domains

IPs

IOC Report
sample.zip