Edit tour
Windows
Analysis Report
View Shared File.pdf
Overview
General Information
Detection
HTMLPhisher
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected HtmlPhish10
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
No HTML title found
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Suspicious form URL found
IP address seen in connection with other malware
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Form action URLs do not match main URL
Potential document exploit detected (performs HTTP gets)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
- AcroRd32.exe (PID: 4592 cmdline:
C:\Program Files (x8 6)\Adobe\A crobat Rea der DC\Rea der\AcroRd 32.exe" "C :\Users\us er\Desktop \View Shar ed File.pd f MD5: B969CF0C7B2C443A99034881E8C8740A) - AcroRd32.exe (PID: 5236 cmdline:
C:\Program Files (x8 6)\Adobe\A crobat Rea der DC\Rea der\AcroRd 32.exe" -- type=rende rer /prefe tch:1 "C:\ Users\user \Desktop\V iew Shared File.pdf MD5: B969CF0C7B2C443A99034881E8C8740A) - RdrCEF.exe (PID: 6240 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --bac kgroundcol or=1651404 3 MD5: 9AEBA3BACD721484391D15478A4080C7) - RdrCEF.exe (PID: 6416 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --typ e=renderer --log-fil e="C:\Prog ram Files (x86)\Adob e\Acrobat Reader DC\ Reader\Acr oCEF\debug .log" --to uch-events =enabled - -field-tri al-handle= 1692,95050 9471101009 5436,28136 8538073086 7450,13107 2 --disabl e-features =VizDispla yComposito r --disabl e-gpu-comp ositing -- service-pi pe-token=4 5226513276 95846108 - -lang=en-U S --disabl e-pack-loa ding --log -file="C:\ Program Fi les (x86)\ Adobe\Acro bat Reader DC\Reader \AcroCEF\d ebug.log" --log-seve rity=disab le --produ ct-version ="ReaderSe rvices/19. 12.20035 C hrome/80.0 .0.0" --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --service -request-c hannel-tok en=4522651 3276958461 08 --rende rer-client -id=2 --mo jo-platfor m-channel- handle=170 4 --allow- no-sandbox -job /pref etch:1 MD5: 9AEBA3BACD721484391D15478A4080C7) - RdrCEF.exe (PID: 6436 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --typ e=gpu-proc ess --fiel d-trial-ha ndle=1692, 9505094711 010095436, 2813685380 730867450, 131072 --d isable-fea tures=VizD isplayComp ositor --d isable-pac k-loading --log-file ="C:\Progr am Files ( x86)\Adobe \Acrobat R eader DC\R eader\Acro CEF\debug. log" --log -severity= disable -- product-ve rsion="Rea derService s/19.12.20 035 Chrome /80.0.0.0" --lang=en -US --gpu- preference s=KAAAAAAA AACAAwABAQ AAAAAAAAAA AGAAAAAAAA EAAAAIAAAA AAAAACgAAA AEAAAAIAAA AAAAAAAoAA AAAAAAADAA AAAAAAAAOA AAAAAAAAAQ AAAAAAAAAA AAAAAFAAAA EAAAAAAAAA AAAAAABgAA ABAAAAAAAA AAAQAAAAUA AAAQAAAAAA AAAAEAAAAG AAAA --use -gl=swifts hader-webg l --log-fi le="C:\Pro gram Files (x86)\Ado be\Acrobat Reader DC \Reader\Ac roCEF\debu g.log" --s ervice-req uest-chann el-token=1 0689791772 710628581 --mojo-pla tform-chan nel-handle =1728 --al low-no-san dbox-job - -ignored=" --type=re nderer " / prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7) - RdrCEF.exe (PID: 6476 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --typ e=renderer --log-fil e="C:\Prog ram Files (x86)\Adob e\Acrobat Reader DC\ Reader\Acr oCEF\debug .log" --to uch-events =enabled - -field-tri al-handle= 1692,95050 9471101009 5436,28136 8538073086 7450,13107 2 --disabl e-features =VizDispla yComposito r --disabl e-gpu-comp ositing -- service-pi pe-token=1 1685059790 00462944 - -lang=en-U S --disabl e-pack-loa ding --log -file="C:\ Program Fi les (x86)\ Adobe\Acro bat Reader DC\Reader \AcroCEF\d ebug.log" --log-seve rity=disab le --produ ct-version ="ReaderSe rvices/19. 12.20035 C hrome/80.0 .0.0" --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --service -request-c hannel-tok en=1168505 9790004629 44 --rende rer-client -id=4 --mo jo-platfor m-channel- handle=181 2 --allow- no-sandbox -job /pref etch:1 MD5: 9AEBA3BACD721484391D15478A4080C7) - conhost.exe (PID: 5200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - RdrCEF.exe (PID: 6588 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --typ e=renderer --log-fil e="C:\Prog ram Files (x86)\Adob e\Acrobat Reader DC\ Reader\Acr oCEF\debug .log" --to uch-events =enabled - -field-tri al-handle= 1692,95050 9471101009 5436,28136 8538073086 7450,13107 2 --disabl e-features =VizDispla yComposito r --disabl e-gpu-comp ositing -- service-pi pe-token=1 2017203034 287935800 --lang=en- US --disab le-pack-lo ading --lo g-file="C: \Program F iles (x86) \Adobe\Acr obat Reade r DC\Reade r\AcroCEF\ debug.log" --log-sev erity=disa ble --prod uct-versio n="ReaderS ervices/19 .12.20035 Chrome/80. 0.0.0" --d evice-scal e-factor=1 --num-ras ter-thread s=2 --enab le-main-fr ame-before -activatio n --servic e-request- channel-to ken=120172 0303428793 5800 --ren derer-clie nt-id=5 -- mojo-platf orm-channe l-handle=2 192 --allo w-no-sandb ox-job /pr efetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7) - RdrCEF.exe (PID: 6168 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --typ e=renderer --log-fil e="C:\Prog ram Files (x86)\Adob e\Acrobat Reader DC\ Reader\Acr oCEF\debug .log" --to uch-events =enabled - -field-tri al-handle= 1692,95050 9471101009 5436,28136 8538073086 7450,13107 2 --disabl e-features =VizDispla yComposito r --disabl e-gpu-comp ositing -- service-pi pe-token=1 3253002013 68898226 - -lang=en-U S --disabl e-pack-loa ding --log -file="C:\ Program Fi les (x86)\ Adobe\Acro bat Reader DC\Reader \AcroCEF\d ebug.log" --log-seve rity=disab le --produ ct-version ="ReaderSe rvices/19. 12.20035 C hrome/80.0 .0.0" --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --service -request-c hannel-tok en=1325300 2013688982 26 --rende rer-client -id=6 --mo jo-platfor m-channel- handle=280 4 --allow- no-sandbox -job /pref etch:1 MD5: 9AEBA3BACD721484391D15478A4080C7) - chrome.exe (PID: 3152 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed --enabl e-automati on -- "htt p://v2.bpk bsaya.com/ wp-include s/css/cPan el.SharePo int_docume ntOnline/r edirecting .php MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 7016 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1556,14589 8092102450 1746,20576 3521336137 1639,13107 2 --lang=e n-US --ser vice-sandb ox-type=ne twork --en able-audio -service-s andbox --m ojo-platfo rm-channel -handle=19 08 /prefet ch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
- elevation_service.exe (PID: 3876 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\85.0.41 83.121\ele vation_ser vice.exe MD5: AFD137B53BA091ACBA569255B16DF837) - ChromeRecovery.exe (PID: 6240 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\ChromeRe covery\sco ped_dir387 6_98013267 6\ChromeRe covery.exe " --appgui d={8A69D34 5-D564-463 c-AFF1-A69 D9E530F96} --browser -version=8 5.0.4183.1 21 --sessi onid={3300 d716-561c- 4453-9d4f- 82432db657 34} --syst em MD5: 49AC3C96D270702A27B4895E4CE1F42A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | SlashNext: |
Phishing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior | ||
Source: | Directory created: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 39_2_000598C3 |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |