Loading ...

Play interactive tourEdit tour

Analysis Report JavaScriptClock.pdf

Overview

General Information

Sample Name:JavaScriptClock.pdf
Analysis ID:286562
MD5:7314d3c114536db807ab795d917aaf01
SHA1:3071617515c84ddd4d8ea3fb280eee93e51da1f8
SHA256:d86c7138e7ac792554365abeec348cd71ee7a8ed037ecf0d2f8335e2e036d7bd

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Startup

  • System is w10x64
  • AcroRd32.exe (PID: 3520 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\JavaScriptClock.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 6216 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\JavaScriptClock.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AcroRd32.exe, 00000001.00000002.670951365.000000000B5EA000.00000004.00000001.sdmpString found in binary or memory: http://...............Acrobat
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/-
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0//1.0/P
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/:
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.geotrust.com0K
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/-29/m#
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.659127101.0000000008D57000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#.pdf
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.673196671.000000000BB8B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/g
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/l
Source: AcroRd32.exe, 00000001.00000002.668014380.000000000AD7C000.00000004.00000001.sdmpString found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=
Source: AcroRd32.exe, 00000001.00000003.385533539.0000000008F9C000.00000004.00000001.sdmpString found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=$
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000002.665698983.000000000A290000.00000002.00000001.sdmpString found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000002.673681763.000000000BD99000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/1
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.653704844.00000000075F0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.659297541.0000000008EA0000.00000004.00000001.sdmp, JavaScriptClock.pdfString found in binary or memory: http://www.pdfscripting.com)/IF
Source: AcroRd32.exe, 00000001.00000002.659297541.0000000008EA0000.00000004.00000001.sdmp, JavaScriptClock.pdfString found in binary or memory: http://www.pdfscripting.com)/S/URI
Source: AcroRd32.exe, 00000001.00000002.666983372.000000000AA1B000.00000004.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000002.659297541.0000000008EA0000.00000004.00000001.sdmp, JavaScriptClock.pdfString found in binary or memory: http://www.windjack.com/)/S/URI
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/-u
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/:.
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/N.
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/X.
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/b.5
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/v.)
Source: AcroRd32.exe, 00000001.00000002.668014380.000000000AD7C000.00000004.00000001.sdmpString found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exe, 00000001.00000002.666124033.000000000A64B000.00000004.00000001.sdmpString found in binary or memory: https://idisk.mac.com/2
Source: AcroRd32.exe, 00000001.00000002.659224269.0000000008DD0000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.659224269.0000000008DD0000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com2A
Source: AcroRd32.exe, 00000001.00000002.658396607.00000000084AD000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: classification engineClassification label: clean0.winPDF@3/2@0/0
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rldvbj3_r1yjo4_4so.tmpJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\JavaScriptClock.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\JavaScriptClock.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\JavaScriptClock.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: A9Rldvbj3_r1yjo4_4so.tmp.1.drInitial sample: PDF keyword /JS count = 0
Source: A9Rldvbj3_r1yjo4_4so.tmp.1.drInitial sample: PDF keyword /JavaScript count = 0
Source: A9R117ci7l_r1yjo5_4so.tmp.1.drInitial sample: PDF keyword /JS count = 0
Source: A9R117ci7l_r1yjo5_4so.tmp.1.drInitial sample: PDF keyword /JavaScript count = 0
Source: A9Rldvbj3_r1yjo4_4so.tmp.1.drInitial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeCode function: 1_2_04991490 LdrInitializeThunk,1_2_04991490
Source: AcroRd32.exe, 00000001.00000002.651384938.0000000005250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.651384938.0000000005250000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
Source: AcroRd32.exe, 00000001.00000002.651384938.0000000005250000.00000002.00000001.sdmpBinary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.651384938.0000000005250000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Process Injection2OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 286562 Sample: JavaScriptClock.pdf Startdate: 16/09/2020 Architecture: WINDOWS Score: 0 5 AcroRd32.exe 24 2->5         started        process3 7 AcroRd32.exe 6 6 5->7         started        file4 10 C:\Users\user\...\A9Rldvbj3_r1yjo4_4so.tmp, PDF 7->10 dropped 12 C:\Users\user\...\A9R117ci7l_r1yjo5_4so.tmp, PDF 7->12 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.