Windows
Analysis Report
RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64native
- AcroRd32.exe (PID: 2748 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" " C:\Users\u ser\Deskto p\RP4ICG2D E42ZABHS_N ota n.1927 3 del 22-4 -2024.pdf" MD5: 6791EAE6124B58F201B32F1F6C3EC1B0)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430903 |
Start date and time: | 2024-04-24 10:59:49 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 9m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowspdfcookbook.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf |
Detection: | CLEAN |
Classification: | clean0.winPDF@2/14@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.206.188.21, 23.206.188.49, 23.206.188.29, 23.206.188.30, 23.206.188.26, 23.206.188.61, 23.206.188.9, 23.206.188.33, 23.206.188.37, 104.114.76.152, 104.114.76.153, 104.114.76.144, 23.206.188.16, 23.206.188.25, 23.206.188.13, 23.206.188.53
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, acroipm2.adobe.com
- Not all processes where analyzed, report is missing behavior information
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240424090531Z-160.bmp
Download File
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 101894 |
Entropy (8bit): | 1.8511774275375752 |
Encrypted: | false |
SSDEEP: | 384:E7NHsQL1iIV6ODF1jSwxzaKM7gwzgITAnfDDytQAndcucH3CMSadujozr2kZy:gdVsBjo3dAdKXCuua2wy |
MD5: | B51C6BC841BC2965E0BE8C34C676CA61 |
SHA1: | 0CCFA12EDFBAE2E0F8604702D4347F494FE7C0AF |
SHA-256: | A12ADCA83632B7AD22CAAAF29ED20897DAD0D375451346DE162D9E640825B498 |
SHA-512: | CACC4B2858D3F35327E8D5D452792DA29001F29D554F0CA98298C17B3F80F62290BD8EC75F3B120DA0EAC415F80CA18F4C876352193D5B9B61BA7919E1B17090 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.152792402577316 |
Encrypted: | false |
SSDEEP: | 384:vedThwtEL38KXlOmrhSZsLRGlMapvC+8ZsLTT1SwIvV:FK+ZsL7ZsLP1iV |
MD5: | 427B97C9D84680F9EC226D29566486F7 |
SHA1: | AC621FFBB9A0BB9F82E462CC2BA1C104DEC57E05 |
SHA-256: | D3E11DCF8EC724F30DC5D02E67C07927C5BECEFE281AFEE714CA9D3AD7B4BAE8 |
SHA-512: | 207265C89593B0FE998E545B4283A044C8E2B8AC39D72B5735FB95806DFC661764DB5DFE9D8BA0CD18D9E3AF5EE4FFA592B05F9D490762DE2584DE98D61F5E83 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8720 |
Entropy (8bit): | 3.207733292251011 |
Encrypted: | false |
SSDEEP: | 48:7M62iolVwiol3f/ol1Nol1Aiol1RROiol12EMol1C0fsol1O5iol8qumFTIF3XmJ:7cpw7gMa04YG9IVXEBodRBk7 |
MD5: | ADFCF51DFA9530FFC7CBAD49187BE3D4 |
SHA1: | 6EC3E438481D9DDAD226BB65E3AAB712574FB0BA |
SHA-256: | 2F19036FD25872C0F54BCC0222956CE01D117D9E0BD85C12535DCC3DE7D416E4 |
SHA-512: | D86FA0E1F44EF8F9F6B7218C18999E1B69BA63A3F795561D44950A030DA873E443DB1B4B6D78E82F57E378B8330826952EB28112BA2DA87609E58148F89F64F2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.1705042823943 |
Encrypted: | false |
SSDEEP: | 12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ |
MD5: | 56E447DEE3234B51F4CB740B28D8E808 |
SHA1: | EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871 |
SHA-256: | D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1 |
SHA-512: | FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.1705042823943 |
Encrypted: | false |
SSDEEP: | 12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ |
MD5: | 56E447DEE3234B51F4CB740B28D8E808 |
SHA1: | EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871 |
SHA-256: | D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1 |
SHA-512: | FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.1705042823943 |
Encrypted: | false |
SSDEEP: | 12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ |
MD5: | 56E447DEE3234B51F4CB740B28D8E808 |
SHA1: | EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871 |
SHA-256: | D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1 |
SHA-512: | FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10254 |
Entropy (8bit): | 5.221256140712948 |
Encrypted: | false |
SSDEEP: | 192:rsA2c6f6L76nx6g6Z6l6W6j6Lfs62tRZ6atsu6HtG16PCRtXr565B:rxXY6sHg4RYCfsztRZxtsuMtG18O7s7 |
MD5: | 0D822282FD7C0480DCB2262B472D8AA2 |
SHA1: | B1673799A73B8822ADCECDDD66FFEBA173E52774 |
SHA-256: | 8C5D43C8451A2000938103DAE339040ED5D4E4A0E3E5A80FB846FBF765DD5105 |
SHA-512: | F269708167ED599323F9758587932AFBAE903F8E6FC228167A50FF7491586E6E1352BB8AFBD38749FEFD26C6E37716C1C70557D694B098D33116041361E4FF83 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10254 |
Entropy (8bit): | 5.221256140712948 |
Encrypted: | false |
SSDEEP: | 192:rsA2c6f6L76nx6g6Z6l6W6j6Lfs62tRZ6atsu6HtG16PCRtXr565B:rxXY6sHg4RYCfsztRZxtsuMtG18O7s7 |
MD5: | 0D822282FD7C0480DCB2262B472D8AA2 |
SHA1: | B1673799A73B8822ADCECDDD66FFEBA173E52774 |
SHA-256: | 8C5D43C8451A2000938103DAE339040ED5D4E4A0E3E5A80FB846FBF765DD5105 |
SHA-512: | F269708167ED599323F9758587932AFBAE903F8E6FC228167A50FF7491586E6E1352BB8AFBD38749FEFD26C6E37716C1C70557D694B098D33116041361E4FF83 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12450 |
Entropy (8bit): | 1.1201007619447507 |
Encrypted: | false |
SSDEEP: | 24:5AZfYDILYWb8eqWaxUvZM9wHoWaxtexYMDWBVSPY/ovsLxLJlCj7:5AS43cdyRM9pdI+/SPY/ovQxLJY7 |
MD5: | D5370854BF762FD366FCEA9FC2C3DB06 |
SHA1: | 4E3A68EBC9056508A4A1A46CCE21872495AE1E9D |
SHA-256: | 145B5CA07CD65F15A83B1FA3F3CC37D76ED937CFD0D1517A30BAF1E2FEF9D60F |
SHA-512: | AAFEA6BBD2C5BF5534E2CDEF749769DE6DD5DDFDC39D8CBBEA9E98B645415D8C6C5ADC745381467CFA6973073F243F33ADD5A0200FE437CC4E252BDBB52BB15C |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 280877 |
Entropy (8bit): | 2.4838683753862703 |
Encrypted: | false |
SSDEEP: | 3072:CuIue47fngQAfngfBYosQvPI3fQAHfQPnPs3g/nAIe:sR |
MD5: | 229336FE2A0A88A8853323CDC037DF45 |
SHA1: | F9318FD12308EC153BCCB5AAA49CAACDB5F69623 |
SHA-256: | 08D2CA312202A6D76173B977C9B82DD08478300A6685C345894BD56491A28A46 |
SHA-512: | 55E21A71488FC1674171148E32769E0171D6619C33F5A7465C7A81190B1D3B3AB4420F4E5D24F1D7470C6289AF0FAAC54B2B47C04543D7DA285A707327B2A1A0 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4 |
Entropy (8bit): | 0.8112781244591328 |
Encrypted: | false |
SSDEEP: | 3:e:e |
MD5: | DC84B0D741E5BEAE8070013ADDCC8C28 |
SHA1: | 802F4A6A20CBF157AAF6C4E07E4301578D5936A2 |
SHA-256: | 81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06 |
SHA-512: | 65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 945 |
Entropy (8bit): | 5.085781314383326 |
Encrypted: | false |
SSDEEP: | 24:YFuuRCzi56W9fg56Uxvj56R2clx2LSC56+Xma560OG:YD8i56W9o56+56RdxY56+Xma56w |
MD5: | 074495CEAA2EDAE4A3C2B7183B415DF1 |
SHA1: | 536EA69D6284534537A8EBBB2F646F04284744B9 |
SHA-256: | 0270E9BEFD4BB94A2FD8882734FEFD26214E6E2FBBC89F4A79D82302A90A9C26 |
SHA-512: | EC5C17228930B2C651FD32DABB5F532FBFAFA733005EBC1ED2B4146EF18D4F1F980EC3AB3DE1F37584B123D55899BCE72C384F9BE35D3FBF1AC7DA529182790A |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10240 |
Entropy (8bit): | 0.6729637696348455 |
Encrypted: | false |
SSDEEP: | 12:B+e1Jl0bfJJJlmIoVEst/0cD3Cjc007UVQAsXCp:BRHl0Jlmyst/0sD007UVQvo |
MD5: | B477F43DD1358C1AD5FBA461B976D6CD |
SHA1: | 39642F53383D15FDAB62DC299610A3BCDA3CDDF4 |
SHA-256: | 6FBA3ED73D2D73994CDEFA8B3A57C9052772FF8C3EB724B288B0C4F9249F6E9D |
SHA-512: | D08ED47BA28065FBF789833B7D1DBE5E9AC65B0A00F94CCB2CA80827C1CC6D7EF8ACAE8D03E690627FDABDB3850B8E54EB74C96A1E96FBFB5CD73DDFC9FF4384 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24152 |
Entropy (8bit): | 0.7529636696202866 |
Encrypted: | false |
SSDEEP: | 24:z6cK50wbpTIuf2jPSMxmOd34AKmsoVp9EFsUxx4ABfL3s+V:z6rN91fKqMx57HbmFsMxtg+V |
MD5: | 622E9E5B7E58CE2892C286F4161217E5 |
SHA1: | 0D773A479247071F622B36834BE63C9A012D04E2 |
SHA-256: | 04A4A1FF7077045427BFF34F2F0359BF1516D9C8D463BFD652E85B7FA269FFAC |
SHA-512: | D6447761B8EBCDEFBF7EF36681767007A52BE48D06F804425F8F4B948629DCC46B572770C529DCEABFFA71CE0B8D81882E31D86F6EBF544A869AB8E20688D74C |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.695349617432734 |
TrID: |
|
File name: | RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf |
File size: | 85'490 bytes |
MD5: | 7e47c958b1692373b43736de1dc29337 |
SHA1: | 12e2bfd68f6f43b07e0693e67ffcdce95eed246a |
SHA256: | ffc5639144a95a49708f5fa3dcff74f4cbf8e0c3d0433a741bb12528ff820fa5 |
SHA512: | 8f54012663cbefaba10ef0d3fcdaa5e896e18be83bad60dafbaf6d3c5bb481d754259a22d541d61b6c24534c67b1ae227c86d82ec27f98594223dd510713b43e |
SSDEEP: | 1536:c0m2JlZOOXHz2SCEIZiKiM+QTyeOjhzfebYbGVym0j:plsqvCEdK5++ypxfSYUa |
TLSH: | 878302940D97E8D1AC1F0460EFC88512D49B1CBA64456476B93CBA7CEF32E967C6C347 |
File Content Preview: | %PDF-1.7.%......12 0 obj.<</Linearized 1/L 85490/O 14/E 35824/N 2/T 85179/H [ 446 144]>>.endobj. ..18 0 obj.<</DecodeParms<</Columns 3/Predictor 12>>/Filter/FlateDecode/ID[<A6E52039889B6195B13535B8AF56AD0C><1E5B174929918E48BE4647896F0A212 |
Icon Hash: | 62cc8caeb29e8ae0 |
General | |
---|---|
Header: | %PDF-1.7 |
Total Entropy: | 7.695350 |
Total Bytes: | 85490 |
Stream Entropy: | 7.692693 |
Stream Bytes: | 83411 |
Entropy outside Streams: | 5.354563 |
Bytes outside Streams: | 2079 |
Number of EOF found: | 2 |
Bytes after EOF: |
Name | Count |
---|---|
obj | 16 |
endobj | 16 |
stream | 12 |
endstream | 12 |
xref | 0 |
trailer | 0 |
startxref | 2 |
/Page | 2 |
/Encrypt | 0 |
/ObjStm | 4 |
/URI | 0 |
/JS | 0 |
/JavaScript | 0 |
/AA | 0 |
/OpenAction | 0 |
/AcroForm | 0 |
/JBIG2Decode | 0 |
/RichMedia | 0 |
/Launch | 0 |
/EmbeddedFile | 0 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 11:05:25 |
Start date: | 24/04/2024 |
Path: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa0000 |
File size: | 3'014'368 bytes |
MD5 hash: | 6791EAE6124B58F201B32F1F6C3EC1B0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |