Analysis Report COVID19_MentalHealth.pdf

Overview

General Information

Sample Name:	COVID19_MentalHealth.pdf
Analysis ID:	330920
MD5:	0eddf4e2ea8f23fa34620d15074da24c
SHA1:	3ffeeb5bde4d87299e3175917b6e8d7889ea0913
SHA256:	bc3cd005701b168d87ee8146c5a1fc995936985cb0da7992ad356f02c21e60af
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

IP address seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

Potential document exploit detected (performs DNS queries)

Unable to load, pdf file is invalid

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: COVID19_MentalHealth.pdf

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: COVID19_MentalHealth.pdf

Joe Sandbox ML: detected

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: kb4.io

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.0.0.0 80.0.0.0

Source: unknown

DNS traffic detected: queries for: kb4.io

Source: AcroRd32.exe, 00000001.00000003.218910617.000000000C7F5000.00000004.00000001.sdmp	String found in binary or memory: http://...............Acrobat
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/abled
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/mb
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/d
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/edqb.
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ckedUb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#vecb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/a
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.412728955.000000000AB64000.00000004.00000001.sdmp	String found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/d
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp	String found in binary or memory: https://.OKCancelEdit
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/erU
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/gn
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/th
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/p
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.comRL
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.413104880.000000000ACC1000.00000004.00000001.sdmp	String found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.comT
Source: AcroRd32.exe, 00000001.00000002.415716119.000000000CAE5000.00000004.00000001.sdmp	String found in binary or memory: https://online-banking.kb4.io
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3Bh
Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.416240390.000000000CBF9000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNg0aW9uPWgF0dGFjaGc1lbnQmjucmVjxaXBpZW50mX2nlkPTc0MzQ1MDUyMSZjpYW1w
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3Bh
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3Bh
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Unable to load, pdf file is invalid

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Window title found: acrobat reader an error occurred during the submit process. the server could not be located.ok

Source: classification engine

Classification label: mal52.winPDF@13/46@2/2

Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywnr0aw9upwjnsawnrjnavybd1ooidhrwoczovl3nlsy3ovyzwqtbg9naw4ubmv0hl3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywnt0aw9upwqnsawnrjnyvybd1ofhdhrwwczovl3nliy3yvyzwqtbg9naw4ubmv0ql3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywne0aw9upwnnsawnrjnqvybd1omtdhrwvczovl3nlcy3cvyzwqtbg9naw4ubmv0el3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R15wpya6_22f045_4ek.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: COVID19_MentalHealth.pdf

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword obj count = 54

Data Obfuscation:

PDF has an OpenAction (likely to launch a dropper script)

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Code function: 1_2_00734050 LdrInitializeThunk,

1_2_00734050

Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.0.0.0	unknown	United Kingdom		5089	NTLGB	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
landing.training.knowbe4.com	52.4.230.221	true
online-banking.kb4.io	unknown	unknown
kb4.io	unknown	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: COVID19_MentalHealth.pdf

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: COVID19_MentalHealth.pdf

Joe Sandbox ML: detected

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: kb4.io

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.0.0.0 80.0.0.0

Source: unknown

DNS traffic detected: queries for: kb4.io

Source: AcroRd32.exe, 00000001.00000003.218910617.000000000C7F5000.00000004.00000001.sdmp	String found in binary or memory: http://...............Acrobat
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/abled
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/mb
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/d
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/edqb.
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ckedUb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#vecb
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#ctive
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/a
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.412728955.000000000AB64000.00000004.00000001.sdmp	String found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000002.415101837.000000000C8BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/d
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.402009507.00000000075F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp	String found in binary or memory: https://.OKCancelEdit
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/erU
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/gn
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l/
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/th
Source: AcroRd32.exe, 00000001.00000002.413243498.000000000AD63000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/p
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.416353052.000000000CC59000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.comRL
Source: AcroRd32.exe, 00000001.00000002.414347395.000000000C488000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.413104880.000000000ACC1000.00000004.00000001.sdmp	String found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.410473388.000000000A090000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.comT
Source: AcroRd32.exe, 00000001.00000002.415716119.000000000CAE5000.00000004.00000001.sdmp	String found in binary or memory: https://online-banking.kb4.io
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3Bh
Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.416240390.000000000CBF9000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.415213082.000000000C957000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNg0aW9uPWgF0dGFjaGc1lbnQmjucmVjxaXBpZW50mX2nlkPTc0MzQ1MDUyMSZjpYW1w
Source: AcroRd32.exe, 00000001.00000002.414848696.000000000C6DB000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3Bh
Source: AcroRd32.exe, 00000001.00000003.214261056.000000000A162000.00000004.00000001.sdmp, COVID19_MentalHealth.pdf	String found in binary or memory: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3Bh
Source: AcroRd32.exe, 00000001.00000002.405743803.00000000084AD000.00000002.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Unable to load, pdf file is invalid

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Window title found: acrobat reader an error occurred during the submit process. the server could not be located.ok

Source: classification engine

Classification label: mal52.winPDF@13/46@2/2

Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNt0aW9uPWqNsaWNrJnyVybD1ofhdHRwwczovL3NliY3yVyZWQtbG9naW4ubmV0qL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywnr0aw9upwjnsawnrjnavybd1ooidhrwoczovl3nlsy3ovyzwqtbg9naw4ubmv0hl3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNr0aW9uPWjNsaWNrJnaVybD1ooidHRwoczovL3NlsY3oVyZWQtbG9naW4ubmV0hL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/XYWNe0aW9uPWnNsaWNrJnqVybD1omtdHRwvczovL3NlcY3cVyZWQtbG9naW4ubmV0eL3BhZ2VzL2M4MTdkNjlmNjY0NSZyZWNpcGllbnRfaWQ9NzQzNDUwNTIxJmNhbXBhaWduX3J1bl9pZD0zOTgxNDEy
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywnt0aw9upwqnsawnrjnyvybd1ofhdhrwwczovl3nliy3yvyzwqtbg9naw4ubmv0ql3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey
Source: COVID19_MentalHealth.pdf	Initial sample: https://online-banking.kb4.io/xywne0aw9upwnnsawnrjnqvybd1omtdhrwvczovl3nlcy3cvyzwqtbg9naw4ubmv0el3bhz2vzl2m4mtdknjlmnjy0nszyzwnpcgllbnrfawq9nzqznduwntixjmnhbxbhawdux3j1bl9pzd0zotgxndey

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R15wpya6_22f045_4ek.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: COVID19_MentalHealth.pdf

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\COVID19_MentalHealth.pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8824394977426197921 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8824394977426197921 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=18010116590796279063 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6134182799145032745 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6134182799145032745 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1680,17373696576901166901,1642707621424303814,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9513205951343530347 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9513205951343530347 --renderer-client-id=5 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword obj count = 54

Data Obfuscation:

PDF has an OpenAction (likely to launch a dropper script)

Source: COVID19_MentalHealth.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: AcroRd32.exe, 00000001.00000002.415350642.000000000C9F6000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Code function: 1_2_00734050 LdrInitializeThunk,

1_2_00734050

Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.401554488.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	330920
Product:	CloudBasic
Start time:	20:08:30
Start date:	15.12.2020
Sample:	COVID19_MentalHealth.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0eddf4e2ea8f23fa34620d15074da24c
SHA1:	3ffeeb5bde4d87299e3175917b6e8d7889ea0913
SHA256:	bc3cd005701b168d87ee8146c5a1fc995936985cb0da7992ad356f02c21e60af
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0	data	12522B86CB9952A35F3FCD52981800A3	D02AC94F6F3DD827CA3BED683C2EA67ED4A2B50D	7DF53AC81F2C26B96C97A5CC15E776831DB92EC07813C9CC29F4B4E592A2959F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0	data	E2245078EC8D87EE6C638CF7051DBF75	B2DB06DCA9C5C4C754C28022C135F312FF296C22	069F88E6C52EC31C9C7A82AE44AE03D0DFBA0CC88D9B3A36377F3AED89AB5D34
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0	data	7D37CE0B350ACF250B52DAB90D5E4018	D03E00038222595A84496F2784EA9FF59E24759C	F1DD5C08498018AA4ED6AF010C9BE5C038D76FB35E356CCAF8732B255F6678B3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0	data	9B427F245EB5AD775C98C46D37C01676	DBB18D5F5368257B835210380488D6DA9266E560	51F0FECEA8054866955FF167B0D301BFE9042176B83A068CD93D21BFA42C0356
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0	data	C51748F8165F13D70EBE4E34ED0B9A6B	ED63F2952B68357746F7839E5D1237BFD100EFAF	29BE24AB5ED35ED745F99878D1ED805E5181244BA1B2D04AB65EB1D4507BCC75
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0	data	62488F2142EBD11AAD37F60896DEC4EA	65722130DEE193C4DBC829F33FAC0860373DB606	7F3CA7961A7CA73AD656544BA1ABB444666AE40C39E1554EA1D364DD39BC6693
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0	data	6375D75240B4D62F7453711A5451FDE6	1776C83B91200FEA4069641E154AC914326D1586	03890465C999B3F6504CADE97577369100DA8BB0E1A02A3DC0E6C9CAD969B462
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0	data	FA74ECF89A19D6643098A25671326875	A5CE5712B9D7CEF3237A37F615F62EC89896A8F4	503BB5E4E9D2EE8C74AE679860FD66C8847319C0E6D73B89696034E8FD32041B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0	data	28D52390DFB1FB0AB87B6A5BC665D5F0	96A9644873C856822BCA400338E61940FCD9CD8F	7BE52715367ABC23F39E0DF38CF60DA49B04DE3CB52AEE6E899EE23780F15F25
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0	data	C2A8D6B055AB88A5BF64425DFDCC8FB9	F177C81F2F842DE2F0BD1FD426F8945BC1451119	8D68696A4950519B0BF6B6524AED1FC7524A765C7B7C90B7D235C4F22C1B6744
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0	data	223FCB59CA903D44064CBAC950BECAAB	A502B7893F051CD817D38232607490A5CD751751	930A57ECA2E1810568EEE1A74BC56BCA60F94808E9A7E91A0DD3F21CEB3E686D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0	data	3A3FA3FD62DE87DAA032DFA8134FE30B	7F49E795A69DE7DB6F3E347EE0F30C9F86193B66	1535779709C5B8AC9AEBF6EDA9A661E7652AE60E3AF631D85149647F15728656
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0	data	2AC230DF5838BF9183A633DFAAF6CEB4	41B63234AFB8B9A4538D5AB08625D2AF38477123	14E6FE275B512BA8D4CBFE772F808C784D2352E1308999C083C2172A45523E73
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0	data	26ED29D408A9E4A4103B8AE056B77D9F	E140EDE19DC5924AA500B4AB871B9A67ED6A81B5	AFB71D096ECB1E881F0F7B68B6780EFAF93E88958662DB77FA66E62CC7E9A89A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0	data	28A698C62BEFDC812D48AB87177173C0	0C91C1D02B7CAA8DA26D1653F632FB5E615E0519	F61AE3C47DE18D713CC6D31BD1845BD2E353048EFF592693B15BE2137CEFD04E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0	data	B5D6E88E092DAA01C3196A3DCD8536B0	560C5375F148348CE11831689E9D1FC369DCB1D7	0B93DB11E73C026A49F54CFF767BEC520F5CB0BF3D6EE4BE688BFED42FF62A37
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0	data	A18AE2E97527F81C84C48DFA05CE42A2	F6A873AC315ACF86D42023BC10CF689DD6F0F0A3	DA659D9189349A990EB33EAE59730968A7DE24DFF68C19173E3A8EE7677D2FF3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0	data	F42BF475585913DF40264C857BF12D81	89BCB65222100386792F0CCC748D298C570A01AC	CA95EE689F014A5D4F1E118D82771F00B4E9A5BA9AA0F495E30937041198DE53
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0	data	DCE36C706EA59CFD5C8263582492A395	FD940EA6A7AFD7FB3DCA6173AFCB559CAF9567A0	3BD8E65A2161A7539E764149153E9A8107278485C864EFB5FBE9CCE582D4D67E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0	data	851328A921AC5A110CA1AA027725C108	A447A3F6347C6437157688842A4CAA34855CFC20	C2A2CB746A2857DAC8EDA2A403F66FE5B7B13B4E581DCECB8AA0AEA7B352FB5A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0	data	8D2C2634B3F0DD1AD857C53C8EED6A94	9A0C2BCBDA4DC651AD1228A016F55D4ED68B75F1	BEE42CB85E01CB701EC386C5E436CB5EC07E2F21390E603D14814C4DB466C448
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0	data	4F996D2F7448DD4461DD37FF8C8CDB5F	FCBA716466EDB5E2FD9F5ADF43583B2F3EF6A2D8	F76437FE9D9F635FAE8F9DC6B566AD0281D7F07698B5440779FE1D8E6D4BE260
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0	data	BB445CB820EA4C70217764A9EB2BCFC0	5D189483785FBD6B155F10071B0B618AF6E558A1	E099732D3D7FA12923736A2E1560F5AE8BDCD039D93FE923FC35ADF590B20970
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0	data	284957900BDFC53D04E1BC4B6E2C37A8	F5761758E0BE2BCA2F213013C1151258C24D0198	3DE859F0A4B96EAD12254C02FF22E40E44C5575D9FDF6F3D57E76CDE51634FE4
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0	data	7BC5A018ABA2690C307CE73A0009E07D	C0D442AA0CF413191B3BFF6E8CE8A146852808F5	CC79312AE14D2544605BB9DFAEABAE23E2834A4629C962C35EB01EEE214FF228
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0	data	1B24A4DDEA109F60966C7F8D6CFC5099	1C8CA96FC2442DB523EE718F7E4014A980803BBF	83BF5BD047435884ECD9C0A29FA1BF74F5E18E013DDD37343559088B060543D9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0	data	F3F9EE278F5DB6A0FD474D455B75AFB1	78913FD4599F0FCA42F86B59DFBA91C22A68BCAC	3A69E46AB7C5EE5A37E18C891E5D1680338CDD55594BF460E9A9C7495B5CE3D8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0	data	AAA54AB933B77CC3C14EE8F8EE7B6F34	C070EB9729E92DA322A22977AD23D783A2EC1AC8	76E8AB75A99B351FCFC11C9B6F0E88E058E649067E97FA5A999D3B1868172D56
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0	data	FF8394A644B21CB2B54D79579057EB03	F15E67F465B65976AC10FF90F1EFB1BF94D267DD	907E425A24AD6F1FD3C91B75226D29A4CE26EA5EF8268330ACE4E87D450D5C60
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0	data	2B73C7347EE04EC86D4C6C962A734732	18A792D5067FF39D31CFE8C23C31C342CD7A46C7	59009F4182A242276B7CCB120BF63FB427CFDD7A8F938D171DD48EF9A9D15C84
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0	data	72A0139E3AAEC252075395F6DF7B4BDC	8788183457A8ADAB2D9557B615113A3F68A13D6C	DAF0A7150A9BF5986FB2BDFAD484C21AFF04F26F6082255338249A2C342E9F1E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0	data	753CB39F713EDAC0F93A12DCD7F711EE	A88AB049C97DC8FEE4A4521A14982140443441EC	9E0D76BB997A6918209EFBD53D44D96F8FF0F57C775FC430732EDF1A2FBF2E2A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0	data	7CC40F1844A7C7BE33A4D21C6DE2932A	CE0335715863A93C5F3F49E5A01CD4083089B54F	F6F51D306CBC555FA76CC0D82DCA121A835D270074C53406129885D05806C8C2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0	data	ED8F89E85A792100765C0D3314F2DB8A	432BF051DC4167E8DB9ABC7A5549040C110F298D	5EA4ED8681CAE2E1853A10BDCC04BE3D54834C036FC6627D282E06610CA06C08
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0	data	D6094A232C39AE9D11E52ECFFFB3F45D	D823DC76F3C9686CAD7A1BB5929745FF77F8C9F8	B90DB4762C6A8FE5157F6F4DEA7294B76266120AE541C52B2514B150CCF0112E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0	data	DD204C488699F339AF7F54C90940C75C	5D069BDC4EE4D9EE0EC8B9D1F1434EEA012CB5F7	4EB44842E5A508AE267C8397676F4A1F4975E549656903341CBBE92D5A38B599
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0	data	68FBE4AAE91EE0A63EE5C55D0DB783A1	6A9AD496C15B41F0B147BE25E54CF737E0D9DBF3	DA43806F95A96C3F58C35EDAE03C5AB0FB4C433F6C215B6F42E078E6B2A5D2F3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0	data	6C67B25C614B404923F83802B3B76443	64F6DEE196533970F0C1C2AF1A7522AA836BC4AA	F956A52EDAA4A148529130A1A098DBDC3A67BE16E894847BE9D233B286947507
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0	data	DE6F183B924DE844D82D71646518C223	0298A64E7271DB039CD8AE0C9B292E312CCB74F3	A01D2A61A8A8E24CE219298B22379F89821C6BECD38AB92BBC1959F351BBDE9D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index	data	5058B8713733316A68E78D9F94FA5FC0	865446856696AB2CA0D05AD463715BDBE3361D0A	438A35D26B090861864EDA70AA4E619958E794E994867BE568AB11F9E6202F8E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	2E9D7E38B99DEDF940BC193CEAC1CE7C	223350EAC98892500400CB77822596156A2AF50E	FBDBA44DECA7D34C53C53824AA00345BB50382C2B2DC5C22B3C56E6518600966
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	data	CFB315BC46FE90003DA8EBD9F4B3ADCC	D2CE24C0F4BC5B05A24FBE51370821160EAADF1B	551AED495E031A34FDA7CD305771663B585FFAD758EFFBD8EE8B2EFE35E6DE8B
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-201216040930Z-245.bmp	PC bitmap, Windows 3.x format, 117 x -152 x 32	8728457C021B84949313963AD3935AF0	2A168D21FDC43A97948D173C218C34F511A17BAD	E7FDF43ED0439F878CB6942B8F8DE670F7DA27C026E5D0F635EF1F9CE6F64DF2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3024000	4E3B6539141BD4630103377F27F75D80	7AF9AA81A38498A54717A3E2BF05FAE381A50FBC	B7AD1CF3C8B81850A9F3A9E50F5532B6712A6A45C3ED935101B566A548E4E1E8
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	data	53173432953F88ADD19E161DD68F6333	383058B2C7142DEE3011F760ECC0872A7B4FA870	19B6DCA2D56EABA1522EB034C715C5C623C09794B9F87A2C261551990612B3DD
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R146ft5l_22f04b_4ek.tmp.dir\A9Rfckaqc_22f04a_4ek.fdf	FDF document, version 1.2	7E29635907F07E470C003A6C722C8627	1F8E835A08630E329CA8166EF87555788F33307F	300C67202E910187786DAF2C72DDE683036A351C3913D17AAB95F7672A883074

Analysis Report COVID19_MentalHealth.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains