Analysis Report COVID19_MentalHealth.pdf

Overview

General Information

Sample Name: COVID19_MentalHealth.pdf
Analysis ID: 330920
MD5: 0eddf4e2ea8f23fa34620d15074da24c
SHA1: 3ffeeb5bde4d87299e3175917b6e8d7889ea0913
SHA256: bc3cd005701b168d87ee8146c5a1fc995936985cb0da7992ad356f02c21e60af

Most interesting Screenshot:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
IP address seen in connection with other malware
PDF has an OpenAction (likely to launch a dropper script)
Potential document exploit detected (performs DNS queries)
Unable to load, pdf file is invalid

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: COVID19_MentalHealth.pdf Virustotal: Detection: 11% Perma Link
Machine Learning detection for sample
Source: COVID19_MentalHealth.pdf Joe Sandbox ML: detected

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: kb4.io

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.0.0.0 80.0.0.0
Source: unknown DNS traffic detected: queries for: kb4.io
Source: AcroRd32.exe, 00000001.00000003.218910617.000000000C7F5000.00000004.00000001.sdmp String found in binary or memory: http://...............Acrobat
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/abled
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/mb
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/d
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/edqb.
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ckedUb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#vecb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/a
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.412728955.000000000AB64000.00000004.00000001.sdmp String found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/d
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp String found in binary or memory: https://.OKCancelEdit
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/erU
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/gn
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/th
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/p
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.comRL
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.413104880.000000000ACC1000.00000004.00000001.sdmp String found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.comT
Source: AcroRd32.exe, 00000001.00000002.415716119.000000000CAE5000.00000004.00000001.sdmp String found in binary or memory: https://online-banking.kb4.io
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf String found in binary or memory: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3Bh
Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.416240390.000000000CBF9000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf String found in binary or memory: https://online-banking.kb4.io/XYWNg0aW9uPWgF0dGFjaGc1lbnQmjucmVjxaXBpZW50mX2nlkPTc0MzQ1MDUyMSZjpYW1w
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf String found in binary or memory: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3Bh
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf String found in binary or memory: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3Bh
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Unable to load, pdf file is invalid
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Window title found: acrobat reader an error occurred during the submit process. the server could not be located.ok
Source: classification engine Classification label: mal52.winPDF@13/46@2/2
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/xywnr0aw9upwjnsawnrjnavybd1ooidhrwoczovl3nlsy3ovyzwqtbg9naw4ubmv0hl3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/xywnt0aw9upwqnsawnrjnyvybd1ofhdhrwwczovl3nliy3yvyzwqtbg9naw4ubmv0ql3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf Initial sample: https://online-banking.kb4.io/xywne0aw9upwnnsawnrjnqvybd1omtdhrwvczovl3nlcy3cvyzwqtbg9naw4ubmv0el3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R15wpya6_22f045_4ek.tmp Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: COVID19_MentalHealth.pdf Virustotal: Detection: 11%
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf' Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File opened: C:\Windows\SysWOW64\Msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: COVID19_MentalHealth.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Source: COVID19_MentalHealth.pdf Initial sample: PDF keyword obj count = 54

Data Obfuscation:

barindex
PDF has an OpenAction (likely to launch a dropper script)
Source: COVID19_MentalHealth.pdf Initial sample: PDF keyword /OpenAction
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Code function: 1_2_00734050 LdrInitializeThunk, 1_2_00734050
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock