Windows Analysis Report
Confirmation Andrea Cuevas Sepulveda (Request).pdf

Overview

General Information

Sample name: Confirmation Andrea Cuevas Sepulveda (Request).pdf
Analysis ID: 1428450
MD5: ff790714bec9adb9dcc958b159555c00
SHA1: 4bb9d78b50fa65b281693a3cdaf559411d096a62
SHA256: 9d68bfaf1a38b71af02f835d87ff1e4f6b38a305466c7fa533151a87d1604511
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

IP address seen in connection with other malware
Phishing site detected (based on OCR NLP Model)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Phishing site detected (based on OCR NLP Model)
Source: Adobe Acrobat PDF ML Model on OCR Text: Matched 80.2% probability on "Digibee April 18, 2024 Andrea Cuevas Sepulveda 318 Celulosa Arauco y Constitucion Golf 150, Piso 14, Las Condes, Santiago andrea.cuevas@arauco.com Dear Andrea Cuevas Sepulveda, In connection with the audit of our financial statements, please confirm directly to our auditors, Deloitte & Touche LLP, gdayal@deloitte.com the amount owed to us as of December 31 , 2023 amounted to $83,200.00 in respect of invoice number #7290 dated December 30, 2023 issued by us to you. If the amount shown is in agreement with your records, please check "A" below. If the amount is not in agreement with your records, please check and complete "B" below. After selecting the appropriate response, please sign and date your reply and send it directly to our auditors. Your prompt attention to this request will be appreciated. This confirmation is not a request for payment; please DO NOT SEND PAYMENTS to our auditors. Yours very truly, Rafael Nardelli CFO "
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 184.25.164.138:443 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 184.25.164.138:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.25.164.138 184.25.164.138
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: classification engine Classification label: clean2.winPDF@14/44@0/1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-19 00-06-08-428.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Confirmation Andrea Cuevas Sepulveda (Request).pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1568,i,589966986038949355,13703487978581972660,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1568,i,589966986038949355,13703487978581972660,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Confirmation Andrea Cuevas Sepulveda (Request).pdf Initial sample: PDF keyword /JS count = 0
Source: Confirmation Andrea Cuevas Sepulveda (Request).pdf Initial sample: PDF keyword /JavaScript count = 0
Source: A95iut3n_efa1dk_5z8.tmp.0.dr Initial sample: PDF keyword /JS count = 0
Source: A95iut3n_efa1dk_5z8.tmp.0.dr Initial sample: PDF keyword /JavaScript count = 0
Source: Confirmation Andrea Cuevas Sepulveda (Request).pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428450 Sample: Confirmation Andrea Cuevas ... Startdate: 19/04/2024 Architecture: WINDOWS Score: 2 6 Acrobat.exe 17 73 2->6         started        process3 8 AcroCEF.exe 105 6->8         started        process4 10 AcroCEF.exe 2 8->10         started        dnsIp5 13 184.25.164.138, 443, 49740 BBIL-APBHARTIAirtelLtdIN United States 10->13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.25.164.138
 unknown United States
9498 BBIL-APBHARTIAirtelLtdIN false