Edit tour

Windows Analysis Report
RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf

Overview

General Information

Sample name:	RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf
Analysis ID:	1430903
MD5:	7e47c958b1692373b43736de1dc29337
SHA1:	12e2bfd68f6f43b07e0693e67ffcdce95eed246a
SHA256:	ffc5639144a95a49708f5fa3dcff74f4cbf8e0c3d0433a741bb12528ff820fa5
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64native

AcroRd32.exe (PID: 2748 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf" MD5: 6791EAE6124B58F201B32F1F6C3EC1B0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean0.winPDF@2/14@0/0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt22.lst.8580

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A91rqdk3h_hj9ru8_6mc.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown			Jump to behavior

Source: RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf	Initial sample: PDF keyword /JS count = 0
Source: RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430903
Start date and time:	2024-04-24 10:59:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf
Detection:	CLEAN
Classification:	clean0.winPDF@2/14@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.206.188.21, 23.206.188.49, 23.206.188.29, 23.206.188.30, 23.206.188.26, 23.206.188.61, 23.206.188.9, 23.206.188.33, 23.206.188.37, 104.114.76.152, 104.114.76.153, 104.114.76.144, 23.206.188.16, 23.206.188.25, 23.206.188.13, 23.206.188.53
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, acroipm2.adobe.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240424090531Z-160.bmp

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 134 x -190 x 32, cbSize 101894, bits offset 54
Category:	dropped
Size (bytes):	101894
Entropy (8bit):	1.8511774275375752
Encrypted:	false
SSDEEP:	384:E7NHsQL1iIV6ODF1jSwxzaKM7gwzgITAnfDDytQAndcucH3CMSadujozr2kZy:gdVsBjo3dAdKXCuua2wy
MD5:	B51C6BC841BC2965E0BE8C34C676CA61
SHA1:	0CCFA12EDFBAE2E0F8604702D4347F494FE7C0AF
SHA-256:	A12ADCA83632B7AD22CAAAF29ED20897DAD0D375451346DE162D9E640825B498
SHA-512:	CACC4B2858D3F35327E8D5D452792DA29001F29D554F0CA98298C17B3F80F62290BD8EC75F3B120DA0EAC415F80CA18F4C876352193D5B9B61BA7919E1B17090
Malicious:	false
Reputation:	low
Preview:	BM........6...(.......B..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035004, file counter 22, database pages 16, 1st free page 12, free pages 2, cookie 0x5, schema 4, UTF-8, version-valid-for 22
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.152792402577316
Encrypted:	false
SSDEEP:	384:vedThwtEL38KXlOmrhSZsLRGlMapvC+8ZsLTT1SwIvV:FK+ZsL7ZsLP1iV
MD5:	427B97C9D84680F9EC226D29566486F7
SHA1:	AC621FFBB9A0BB9F82E462CC2BA1C104DEC57E05
SHA-256:	D3E11DCF8EC724F30DC5D02E67C07927C5BECEFE281AFEE714CA9D3AD7B4BAE8
SHA-512:	207265C89593B0FE998E545B4283A044C8E2B8AC39D72B5735FB95806DFC661764DB5DFE9D8BA0CD18D9E3AF5EE4FFA592B05F9D490762DE2584DE98D61F5E83
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................O\|......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.207733292251011
Encrypted:	false
SSDEEP:	48:7M62iolVwiol3f/ol1Nol1Aiol1RROiol12EMol1C0fsol1O5iol8qumFTIF3XmJ:7cpw7gMa04YG9IVXEBodRBk7
MD5:	ADFCF51DFA9530FFC7CBAD49187BE3D4
SHA1:	6EC3E438481D9DDAD226BB65E3AAB712574FB0BA
SHA-256:	2F19036FD25872C0F54BCC0222956CE01D117D9E0BD85C12535DCC3DE7D416E4
SHA-512:	D86FA0E1F44EF8F9F6B7218C18999E1B69BA63A3F795561D44950A030DA873E443DB1B4B6D78E82F57E378B8330826952EB28112BA2DA87609E58148F89F64F2
Malicious:	false
Reputation:	low
Preview:	.... .c.....N................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................m...../.y.......~..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt21.lst (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	536
Entropy (8bit):	5.1705042823943
Encrypted:	false
SSDEEP:	12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ
MD5:	56E447DEE3234B51F4CB740B28D8E808
SHA1:	EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871
SHA-256:	D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1
SHA-512:	FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F
Malicious:	false
Reputation:	low
Preview:	%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426556052.%EndFont..

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt22.lst.8580

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	536
Entropy (8bit):	5.1705042823943
Encrypted:	false
SSDEEP:	12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ
MD5:	56E447DEE3234B51F4CB740B28D8E808
SHA1:	EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871
SHA-256:	D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1
SHA-512:	FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F
Malicious:	false
Reputation:	low
Preview:	%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426556052.%EndFont..

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt21.lst (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	536
Entropy (8bit):	5.1705042823943
Encrypted:	false
SSDEEP:	12:T4RFe6h8idRuMgxg6dxs3yBFTtDclAzidRuOPgxg601s3yBFDHpco:kFqid8HxPs3yTTtLid8OPgx4s3yTDHJ
MD5:	56E447DEE3234B51F4CB740B28D8E808
SHA1:	EC3CA5EDFD96F7B7A4134259E39B1AD76CFFF871
SHA-256:	D5D86F909BF81CBA8F2473124E6111504DCC69547E7CE7775217ABE688A02EA1
SHA-512:	FC79C80334C70E73A0B057B1F5397749312FFF9AB98045BD36C4C7F3D263713D5F9AD8E474E570BBD05225A72EDD19CB4F92724E5741ED9005551B7BDDA0B67F
Malicious:	false
Reputation:	low
Preview:	%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426556052.%EndFont..

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt21.lst (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10254
Entropy (8bit):	5.221256140712948
Encrypted:	false
SSDEEP:	192:rsA2c6f6L76nx6g6Z6l6W6j6Lfs62tRZ6atsu6HtG16PCRtXr565B:rxXY6sHg4RYCfsztRZxtsuMtG18O7s7
MD5:	0D822282FD7C0480DCB2262B472D8AA2
SHA1:	B1673799A73B8822ADCECDDD66FFEBA173E52774
SHA-256:	8C5D43C8451A2000938103DAE339040ED5D4E4A0E3E5A80FB846FBF765DD5105
SHA-512:	F269708167ED599323F9758587932AFBAE903F8E6FC228167A50FF7491586E6E1352BB8AFBD38749FEFD26C6E37716C1C70557D694B098D33116041361E4FF83
Malicious:	false
Reputation:	low
Preview:	%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.hasSVG:no.VariableFontType:NonVariableFont.FileLength:85552.FileModTime:1627108754.WeightClass:400.WidthClass:5.AngleClass:0.Des

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt22.lst.8580

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10254
Entropy (8bit):	5.221256140712948
Encrypted:	false
SSDEEP:	192:rsA2c6f6L76nx6g6Z6l6W6j6Lfs62tRZ6atsu6HtG16PCRtXr565B:rxXY6sHg4RYCfsztRZxtsuMtG18O7s7
MD5:	0D822282FD7C0480DCB2262B472D8AA2
SHA1:	B1673799A73B8822ADCECDDD66FFEBA173E52774
SHA-256:	8C5D43C8451A2000938103DAE339040ED5D4E4A0E3E5A80FB846FBF765DD5105
SHA-512:	F269708167ED599323F9758587932AFBAE903F8E6FC228167A50FF7491586E6E1352BB8AFBD38749FEFD26C6E37716C1C70557D694B098D33116041361E4FF83
Malicious:	false
Preview:	%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426556052.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.hasSVG:no.VariableFontType:NonVariableFont.FileLength:85552.FileModTime:1627108754.WeightClass:400.WidthClass:5.AngleClass:0.Des

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	12450
Entropy (8bit):	1.1201007619447507
Encrypted:	false
SSDEEP:	24:5AZfYDILYWb8eqWaxUvZM9wHoWaxtexYMDWBVSPY/ovsLxLJlCj7:5AS43cdyRM9pdI+/SPY/ovQxLJY7
MD5:	D5370854BF762FD366FCEA9FC2C3DB06
SHA1:	4E3A68EBC9056508A4A1A46CCE21872495AE1E9D
SHA-256:	145B5CA07CD65F15A83B1FA3F3CC37D76ED937CFD0D1517A30BAF1E2FEF9D60F
SHA-512:	AAFEA6BBD2C5BF5534E2CDEF749769DE6DD5DDFDC39D8CBBEA9E98B645415D8C6C5ADC745381467CFA6973073F243F33ADD5A0200FE437CC4E252BDBB52BB15C
Malicious:	false
Preview:	Adobe Acrobat Reader DC (32-bit) 21.0....?A12_Cur_Wait_7_10. ... ....... ..........................l.......................T...................................................................................................................................l...........................................................................................$...............................................................................................................................0...."""..............ttt....................................................................................................H........................,,,...............................................................................................<....%%%.............................RRR...................................................................................................................ppp.........RRR................................................................................lttt.................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr81920.dat

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	280877
Entropy (8bit):	2.4838683753862703
Encrypted:	false
SSDEEP:	3072:CuIue47fngQAfngfBYosQvPI3fQAHfQPnPs3g/nAIe:sR
MD5:	229336FE2A0A88A8853323CDC037DF45
SHA1:	F9318FD12308EC153BCCB5AAA49CAACDB5F69623
SHA-256:	08D2CA312202A6D76173B977C9B82DD08478300A6685C345894BD56491A28A46
SHA-512:	55E21A71488FC1674171148E32769E0171D6619C33F5A7465C7A81190B1D3B3AB4420F4E5D24F1D7470C6289AF0FAAC54B2B47C04543D7DA285A707327B2A1A0
Malicious:	false
Preview:	Adobe Acrobat Reader DC (32-bit) 21.0....?A12_FindInDocument.....................................................................................................................................................................................ppp@pppPppp.ppppppp@ppp.....................................................................................ppp ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp`....................................................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp0........................................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp`................................................ppp.ppp.ppp.ppp.ppp.ppp.pppP....................ppp ppp.ppp.ppp.ppp.ppp.ppp@............................................ppp.ppp.ppp.ppp.ppp.....................................ppp@ppp.ppp.ppp.ppp.ppp.....................................ppp@ppp.ppp.ppp.ppp.............................................ppp0ppp

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	945
Entropy (8bit):	5.085781314383326
Encrypted:	false
SSDEEP:	24:YFuuRCzi56W9fg56Uxvj56R2clx2LSC56+Xma560OG:YD8i56W9o56+56RdxY56+Xma56w
MD5:	074495CEAA2EDAE4A3C2B7183B415DF1
SHA1:	536EA69D6284534537A8EBBB2F646F04284744B9
SHA-256:	0270E9BEFD4BB94A2FD8882734FEFD26214E6E2FBBC89F4A79D82302A90A9C26
SHA-512:	EC5C17228930B2C651FD32DABB5F532FBFAFA733005EBC1ED2B4146EF18D4F1F980EC3AB3DE1F37584B123D55899BCE72C384F9BE35D3FBF1AC7DA529182790A
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1713949529000},{"id":"Edit_InApp_Aug2020","info":{"dg":"2646f0f0f5dd62f2d56ca1c033033c58","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1642668697000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"6b5098d964b65c5397b668715cc670a2","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1393,"ts":1642668697000},{"id":"DC_Reader_Upsell_Cards","info":{"dg":"0e188ce3b10d082e729bd3a233cfaf51","sid":"DC_Reader_Upsell_Cards"},"mimeType":"file","size":286,"ts":1642668697000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"74af15052665af89ad7102a0cb63a33a","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1642668697000},{"id":"DC_Reader_RHP_Retention","info":{"dg":"38b4eab1fcf9ab6a31440a452fcbde2b","sid":"DC_Reader_RHP_Retention"},"mimeType":"file","size":287,"ts":1642668697000}],"g_info":{"Version":"0.0.0.1"}}

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.6729637696348455
Encrypted:	false
SSDEEP:	12:B+e1Jl0bfJJJlmIoVEst/0cD3Cjc007UVQAsXCp:BRHl0Jlmyst/0sD007UVQvo
MD5:	B477F43DD1358C1AD5FBA461B976D6CD
SHA1:	39642F53383D15FDAB62DC299610A3BCDA3CDDF4
SHA-256:	6FBA3ED73D2D73994CDEFA8B3A57C9052772FF8C3EB724B288B0C4F9249F6E9D
SHA-512:	D08ED47BA28065FBF789833B7D1DBE5E9AC65B0A00F94CCB2CA80827C1CC6D7EF8ACAE8D03E690627FDABDB3850B8E54EB74C96A1E96FBFB5CD73DDFC9FF4384
Malicious:	false
Preview:	...Q^`......yh."1..W...H.h...G.;Mfh.o. ....F.yy.........\c]M.\|9...)O9.?.u... ....-....P..\|.Hh[...?...+F....5.B.w;(9....O...........p.).J4.....0.oZC0+...+./d4..#.?.Q.Y...r....Uq...^.)..7Q.a.;]..QH.:....m...4....Z.Fahw.p.Yy.]....>.gb..1..8.........1.4=..}m.^....>'...d[Io......Eb.y..S;2.@.C.....U.....(.L.4....:.........~7T9...9.w.SW......,......OA.$F...30...v.?..4.!.B.,............G..f.{gd.........-.s...`....g.^}....m..'\iyx...O..s ...Z...I_5.>.m..u..8..i7e...C.H*.3ghH.?....f....T..-.i.$...F..a.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	0.7529636696202866
Encrypted:	false
SSDEEP:	24:z6cK50wbpTIuf2jPSMxmOd34AKmsoVp9EFsUxx4ABfL3s+V:z6rN91fKqMx57HbmFsMxtg+V
MD5:	622E9E5B7E58CE2892C286F4161217E5
SHA1:	0D773A479247071F622B36834BE63C9A012D04E2
SHA-256:	04A4A1FF7077045427BFF34F2F0359BF1516D9C8D463BFD652E85B7FA269FFAC
SHA-512:	D6447761B8EBCDEFBF7EF36681767007A52BE48D06F804425F8F4B948629DCC46B572770C529DCEABFFA71CE0B8D81882E31D86F6EBF544A869AB8E20688D74C
Malicious:	false
Preview:	....w.B..6.0.G.V5..O..h.I.z..`.(Sc{=...........Xu\..e[b..+_0.1......D..!;._..{......U..y.....Sb...{......M..H..(.Q.+Ib9...... $eCh+....a..9X5..`v".5..@:...d2W1..d....j~^.-W.#y...X..<.'f..@.G. ...l1...'.......8.'.m.m..0.R&.K..RCX.ji...R.q..V....H]._...z+o..J...0E."F..;.n..H..f.O.=tw.X6.....k.=..M.6e.{....#M.s}.....f...(.a..:^.i.f.b..X..`.5.<(4..fJ9..c..V>..E.......t..7<pi.rm...m...Ei..R.UK.[..8....n\|..z.......=..l.-.......Q6.i.=.89.Y..}.v.......[2..8Dm.Uf.-.OVu..b.o.h.o.p(....8.r.N8.;...%0/......!~f..g...y.B...>ei]1..C.V...;p.]...R.F..Q39e..H.i.(#....Y.%f...ek-n...G...V(/.S~....A.......I.....,T..t]. d.D..*.(..H..W./@.....s..N.v\.eJ....)...)...v.\Ar.?.Fi.W\.]..].\........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PDF document, version 1.7 (zip deflate encoded)
Entropy (8bit):	7.695349617432734
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf
File size:	85'490 bytes
MD5:	7e47c958b1692373b43736de1dc29337
SHA1:	12e2bfd68f6f43b07e0693e67ffcdce95eed246a
SHA256:	ffc5639144a95a49708f5fa3dcff74f4cbf8e0c3d0433a741bb12528ff820fa5
SHA512:	8f54012663cbefaba10ef0d3fcdaa5e896e18be83bad60dafbaf6d3c5bb481d754259a22d541d61b6c24534c67b1ae227c86d82ec27f98594223dd510713b43e
SSDEEP:	1536:c0m2JlZOOXHz2SCEIZiKiM+QTyeOjhzfebYbGVym0j:plsqvCEdK5++ypxfSYUa
TLSH:	878302940D97E8D1AC1F0460EFC88512D49B1CBA64456476B93CBA7CEF32E967C6C347
File Content Preview:	%PDF-1.7.%......12 0 obj.<</Linearized 1/L 85490/O 14/E 35824/N 2/T 85179/H [ 446 144]>>.endobj. ..18 0 obj.<</DecodeParms<</Columns 3/Predictor 12>>/Filter/FlateDecode/ID[<A6E52039889B6195B13535B8AF56AD0C><1E5B174929918E48BE4647896F0A212

File Icon


Icon Hash:	62cc8caeb29e8ae0

Static PDF Info

General
Header:	%PDF-1.7
Total Entropy:	7.695350
Total Bytes:	85490
Stream Entropy:	7.692693
Stream Bytes:	83411
Entropy outside Streams:	5.354563
Bytes outside Streams:	2079
Number of EOF found:	2
Bytes after EOF:

Keywords Statistics

Name	Count
obj	16
endobj	16
stream	12
endstream	12
xref	0
trailer	0
startxref	2
/Page	2
/Encrypt	0
/ObjStm	4
/URI	0
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: AcroRd32.exePID: 2748, Parent PID: 5316

General

Target ID:	0
Start time:	11:05:25
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf"
Imagebase:	0xa0000
File size:	3'014'368 bytes
MD5 hash:	6791EAE6124B58F201B32F1F6C3EC1B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240424090531Z-160.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt21.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt22.lst.8580

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt21.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt21.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt22.lst.8580

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr81920.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Static File Info

General

File Icon

Static PDF Info

General

Keywords Statistics

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: AcroRd32.exePID: 2748, Parent PID: 5316

General

Chronological Activities

Disassembly

Windows Analysis Report
RP4ICG2DE42ZABHS_Nota n.19273 del 22-4-2024.pdf