Analysis Report Distech-controls Project .pdf

Overview

General Information

Sample Name: Distech-controls Project .pdf
Analysis ID: 289662
MD5: cf9207807263dd7b69e814af1d3f60ab
SHA1: 70c15f1df40f7504b4aae6cd15c0f7b9ddf1c366
SHA256: 06baf3b309439eebbe542ffde90043cc205ed8395ebb93a620c0829a9c83d2e9

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Phishing site detected (based on shot template match)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_7
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ UrlScan: Label: phishing brand: adobe generic Perma Link

Phishing:

barindex
Phishing site detected (based on shot template match)
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ Matcher: Template: outlook matched
Yara detected HtmlPhish_10
Source: Yara match File source: 347688.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\adobe[1].htm, type: DROPPED
Yara detected HtmlPhish_7
Source: Yara match File source: 347688.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\adobe[1].htm, type: DROPPED
HTML body contains low number of good links
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: Number of links: 0
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: No <meta name="author".. found
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: No <meta name="author".. found
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: No <meta name="copyright".. found
Source: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/ HTTP Parser: No <meta name="copyright".. found

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.0.0.0 80.0.0.0
Source: Joe Sandbox View IP Address: 151.139.128.8 151.139.128.8
Source: Joe Sandbox View IP Address: 104.17.79.107 104.17.79.107
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: msapplication.xml1.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa759bcd6,0x01d692db</date><accdate>0xa759bcd6,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa759bcd6,0x01d692db</date><accdate>0xa759bcd6,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa773f6ab,0x01d692db</date><accdate>0xa773f6ab,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa773f6ab,0x01d692db</date><accdate>0xa773f6ab,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa773f6ab,0x01d692db</date><accdate>0xa773f6ab,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.20.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa773f6ab,0x01d692db</date><accdate>0xa773f6ab,0x01d692db</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: com.au
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/1.0/
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: hover[1].css.21.dr String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.21.dr String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/xC
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/xC
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: popper.min[1].js.21.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/p
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#hC
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: msapplication.xml.20.dr String found in binary or memory: http://www.amazon.com/
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: msapplication.xml2.20.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.20.dr String found in binary or memory: http://www.live.com/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/Y
Source: msapplication.xml4.20.dr String found in binary or memory: http://www.nytimes.com/
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000002.00000002.522655136.0000000007320000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000002.00000002.535072324.000000000AF71000.00000004.00000001.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: msapplication.xml5.20.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.20.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.20.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.20.dr String found in binary or memory: http://www.youtube.com/
Source: AcroRd32.exe, 00000002.00000002.536089975.000000000D0CC000.00000004.00000001.sdmp String found in binary or memory: https://.OKCancelEdit
Source: AcroRd32.exe, 00000002.00000002.534463411.000000000AD20000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000002.00000002.534463411.000000000AD20000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/)
Source: AcroRd32.exe, 00000002.00000003.518792567.000000000AE1C000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000002.00000003.518792567.000000000AE1C000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/:
Source: AcroRd32.exe, 00000002.00000003.518792567.000000000AE1C000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/h
Source: AcroRd32.exe, 00000002.00000002.534463411.000000000AD20000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/j
Source: adobe[1].htm0.21.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: AcroRd32.exe, 00000002.00000002.535744612.000000000CE4F000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000002.00000002.536040888.000000000D074000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.comI:
Source: adobe[1].htm0.21.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: adobe[1].htm0.21.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: adobe[1].htm0.21.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: adobe[1].htm0.21.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.21.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.21.dr String found in binary or memory: https://fontawesome.com/license/free
Source: adobe[1].htm0.21.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[1].css.21.dr String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].css.21.dr, bootstrap.min[1].js.21.dr String found in binary or memory: https://getbootstrap.com)
Source: hover[1].css.21.dr String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].css.21.dr, bootstrap.min[1].js.21.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.21.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: AcroRd32.exe, 00000002.00000002.526690798.0000000008AF0000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: 585b051251[1].js.21.dr String found in binary or memory: https://kit-free.fontawesome.com
Source: adobe[1].htm0.21.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: adobe[1].htm0.21.dr String found in binary or memory: https://login.microsoftonline.com/common/login
Source: adobe[1].htm0.21.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: adobe[1].htm0.21.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: AcroRd32.exe, 00000002.00000003.518560838.0000000008C6C000.00000004.00000001.sdmp String found in binary or memory: https://shelleyjosephineceremonies.com.au
Source: AcroRd32.exe, 00000002.00000002.535755178.000000000CE62000.00000004.00000001.sdmp String found in binary or memory: https://shelleyjosephineceremonies.com.au$BMaK
Source: AcroRd32.exe, 00000002.00000002.533636622.000000000AA78000.00000004.00000001.sdmp, {CEB59785-FECE-11EA-90E2-ECF4BB862DED}.dat.20.dr String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe
Source: Distech-controls Project .pdf String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe)
Source: {CEB59785-FECE-11EA-90E2-ECF4BB862DED}.dat.20.dr, adobe[1].htm.21.dr String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/
Source: {CEB59785-FECE-11EA-90E2-ECF4BB862DED}.dat.20.dr String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/$Share
Source: AcroRd32.exe, 00000002.00000002.535844831.000000000CECE000.00000004.00000001.sdmp String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe/=
Source: {CEB59785-FECE-11EA-90E2-ECF4BB862DED}.dat.20.dr String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobeRoot
Source: AcroRd32.exe, 00000002.00000002.534537014.000000000AD80000.00000004.00000001.sdmp String found in binary or memory: https://shelleyjosephineceremonies.com.au/adobe.xx/adobegs
Source: AcroRd32.exe, 00000002.00000002.535869181.000000000CF01000.00000004.00000001.sdmp String found in binary or memory: https://shelleyjosephineceremonies.com.au/esday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: imagestore.dat.21.dr String found in binary or memory: https://shelleyjosephineceremonies.com.au/favicon.ico
Source: AcroRd32.exe, 00000002.00000002.533978988.000000000AB48000.00000004.00000001.sdmp, Distech-controls Project .pdf String found in binary or memory: https://southcentralusr-notifyp.svc.ms/api/v2/tracking/method/Click?mi=QqZI7lAkKE-xAVeF-uoYeg&ru=htt
Source: AcroRd32.exe, 00000002.00000002.525694140.00000000081DD000.00000002.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: AcroRd32.exe, 00000002.00000003.518270287.000000000AD66000.00000004.00000001.sdmp Binary or memory string: dlng(.slngV.Arab, Armn, Cyrl, Geok, Geor, Grek, Hebr, LatnArab, Armn, Cyrl, Geok, Geor, Grek, Hebr, Latn
Source: AcroRd32.exe, 00000002.00000003.518270287.000000000AD66000.00000004.00000001.sdmp Binary or memory string: .slng
Source: classification engine Classification label: mal72.phis.winPDF@19/85@12/5
Source: Distech-controls Project .pdf Initial sample: https://southcentralusr-notifyp.svc.ms/api/v2/tracking/method/Click?mi=QqZI7lAkKE-xAVeF-uoYeg&ru=https%3a%2f%2fprivacy.microsoft.com%2fprivacystatement&tc=PrivacyStatement&cs=0e07659b2986c666099c66b21d33f3f7
Source: Distech-controls Project .pdf Initial sample: https://shelleyjosephineceremonies.com.au/adobe.xx/adobe
Source: Distech-controls Project .pdf Initial sample: https://southcentralusr-notifyp.svc.ms/api/v2/tracking/method/click?mi=qqzi7lakke-xavef-uoyeg&ru=https%3a%2f%2fprivacy.microsoft.com%2fprivacystatement&tc=privacystatement&cs=0e07659b2986c666099c66b21d33f3f7
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.4460 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rot7mt3_108wtof_3fw.tmp Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Distech-controls Project .pdf'
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Distech-controls Project .pdf'
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=10579243726528146941 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10579243726528146941 --renderer-client-id=2 --mojo-platform-channel-handle=1684 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=3936451789751174464 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=5369318709217017077 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5369318709217017077 --renderer-client-id=4 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2213338114442170740 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2213338114442170740 --renderer-client-id=5 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15821696383292514121 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15821696383292514121 --renderer-client-id=6 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://shelleyjosephineceremonies.com.au/adobe.xx/adobe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Distech-controls Project .pdf' Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://shelleyjosephineceremonies.com.au/adobe.xx/adobe Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=10579243726528146941 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10579243726528146941 --renderer-client-id=2 --mojo-platform-channel-handle=1684 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=3936451789751174464 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=5369318709217017077 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5369318709217017077 --renderer-client-id=4 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2213338114442170740 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2213338114442170740 --renderer-client-id=5 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1672,5592554342002210036,13310817530414174230,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15821696383292514121 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15821696383292514121 --renderer-client-id=6 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File opened: C:\Windows\SysWOW64\Msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Distech-controls Project .pdf Initial sample: PDF keyword /JS count = 0
Source: Distech-controls Project .pdf Initial sample: PDF keyword /JavaScript count = 0
Source: Distech-controls Project .pdf Initial sample: PDF keyword stream count = 26
Source: Distech-controls Project .pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: AcroRd32.exe, 00000002.00000002.535844831.000000000CECE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Code function: 2_2_00219003 LdrInitializeThunk, 2_2_00219003
Source: AcroRd32.exe, 00000002.00000002.521268907.0000000004F80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000002.00000002.521268907.0000000004F80000.00000002.00000001.sdmp Binary or memory string: NProgram Manager
Source: AcroRd32.exe, 00000002.00000002.521268907.0000000004F80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AcroRd32.exe, 00000002.00000002.521268907.0000000004F80000.00000002.00000001.sdmp Binary or memory string: Progmanlock