87.pdf
This report is generated from a file or URL submitted to this webservice on December 10th 2018 08:13:13 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://129.137.4.120/Publications/PDFfiles/87.pdf
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
General
-
Opened the service control manager
- details
- "AcroRd32.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
-
Informative 6
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains object with compressed stream data
- details
-
Object ID 10 contains compressed stream data: No filters
Object ID 14 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 16 contains compressed stream data: No filters
Object ID 20 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 22 contains compressed stream data: No filters
Object ID 26 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 28 contains compressed stream data: No filters
Object ID 32 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 34 contains compressed stream data: No filters
Object ID 38 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 40 contains compressed stream data: No filters
Object ID 44 contains compressed stream data: \xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7\xd7 ...
Object ID 47 contains compressed stream data: \x00\x00\x00\x00\x003\x00\x00f\x00\x00\x99\x00\x00\xcc\x00\x00\xff\x003\x00\x0033\x003f\x003\x99\x003\xcc\x003\xff\x00f\x00\x00f3\x00ff\x00f\x99\x00f\xcc\x00f\xff\x00\x99\x00\x00\x993\x00\x99f\x00\x99\x99\x00\x99\xcc\x00\x99\xff\x00\xcc\x00\x00\xcc3\x00\xc ... - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1207 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagEJHCOKJGMLKAAAAA"
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!%OSUSER%!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!%OSUSER%!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!%OSUSER%!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex" - source
- Created Mutant
- relevance
- 3/10
-
PDF contains no significant text data on the first page(s)
- details
- The input has no visible characters on the first 5 page(s)
- source
- Static Parser
- relevance
- 5/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R11"
"AcroRd32.exe" searching for class "JFWUI2" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains object with compressed stream data
-
Installation/Persistance
-
Dropped files
- details
-
"A9R7E8B.tmp" has type "data"
"A9R7E8F.tmp" has type "data"
"A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" has type "data"
"A9R7E8C.tmp" has type "data"
"AdobeFnt14.lst.2748" has type "PostScript document text"
"A9R7E8A.tmp" has type "data"
"A9R7E8E.tmp" has type "data"
"A9R7E90.tmp" has type "data"
"A9R7E91.tmp" has type "data"
"48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" has type "data"
"A9R7E92.tmp" has type "data"
"A9R7E89.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
87.pdf
- Filename
- 87.pdf
- Size
- 795KiB (813985 bytes)
- Type
- Description
- PDF document, version 1.3
- Document producer
- Image Alchemy v1.11
- Document pages
- 6
- Architecture
- WINDOWS
- SHA256
- fe852c89c32bcab29eab73528df6b2f5383f2df913c512ce513b82098337feff
- MD5
- 5c67e9152bbc838e2d56cd4eee11a433
- SHA1
- c21aa3ed4566346efcc3dda3c2a18d616b02cc33
- ssdeep
- 12288:cvLCSjtm0cOIjA0KwA/O7KZt3UULCjGYFZq7EfIz8doT9HcLyXUMfJdJc:4CSjthY+TZRnCjGmUiWdO
Classification (TrID)
- 62.5% (.PDF) Adobe Portable Document Format
- 37.5% (.GBR) Gerber printed circuit description
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- AcroRd32.exe "C:\87.pdf" (PID: 2748)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 12 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Informative 12
-
-
AdobeFnt14.lst.2748
- Size
- 512B (512 bytes)
- Type
- text
- Description
- PostScript document text
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- 60d86be8d31b494b0edf0cb1edc33bd7
- SHA1
- 7845d6a6eb46a17afee8d2821c0173b539fe1a57
- SHA256
- 133a54800ed9a7951a92d11b92f5b8822fd49f071f3ecf0240cb4e0464cd9379
-
A9R7E89.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R7E8A.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R7E8B.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R7E8C.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R7E8E.tmp
- Size
- 45KiB (46135 bytes)
- Type
- java compressed jar
- Runtime Process
- AcroRd32.exe (PID: 2748)
- MD5
- 7de4a2e866ed8aefb829cf5e04db261a
- SHA1
- 38a68fded15d2c8950a6b0d855492e5b4ce7ed95
- SHA256
- 70bdea097b02d2cba9f5363f9e986cc5ba57267999374c303a248d01000d713b
-
A9R7E8F.tmp
- Size
- 41KiB (41629 bytes)
- Type
- java compressed jar
- MD5
- 2270aa3192da68562fdb1e4c468b13df
- SHA1
- 0efdaae1163af1ac0c61c6e5f92714cdbb03e41a
- SHA256
- 5c74fec27dec1d0fe65987b22d85ba7953e118b34ed48ad59a8000e4d3d4f975
-
A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
- Size
- 37KiB (37738 bytes)
- Type
- data
- MD5
- a06b6c70aeff14f9d5d832328d6ba9cc
- SHA1
- f8ae2360bef62d9ea534a84ecc020fdd3ddac342
- SHA256
- 8cf6c9ed096a1a081b4d6caa8f7ca3ddcb49559758a17ece6528e9d68f1a82f1
-
A9R7E90.tmp
- Size
- 38KiB (38445 bytes)
- Type
- java compressed jar
- MD5
- c2be4c74c4d98eac6140acb383f77d0b
- SHA1
- a54e90b58dd2463d913142d4d7ec1d038f249c55
- SHA256
- d1e10ebe9f745f12c7b29f0a7ca27c576c0ba1e37fdcc19563e822c6692a1d68
-
A9R7E91.tmp
- Size
- 80KiB (81944 bytes)
- Type
- java compressed jar
- MD5
- 39c9b484f43d03a05d306bc7bcc16654
- SHA1
- 1cb992eaff6228116e55b858f2ed825b09f2f50b
- SHA256
- fa5fdebe80ec0ce7dc40738b4fd46a9e9b36eca6a810c523ee6ef3fd40b4179e
-
48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
- Size
- 1KiB (1073 bytes)
- Type
- data
- MD5
- 50cff9836166efb67d554f6459b1deae
- SHA1
- 620120882348ccf2a2104a8d069e60797d25c906
- SHA256
- fd4267c76d161423e97f6cd1dfc5090cdc01ccad3713635d3b3a58a7a5c5858c
-
A9R7E92.tmp
- Size
- 35KiB (35731 bytes)
- Type
- java compressed jar
- MD5
- 60fb8491aa4b141264152614c765d450
- SHA1
- c33105a5d6bda4f09bfcd774ade9a62e77e131ee
- SHA256
- 3184ca2a7ef723d242309f3770e6f60ac57e436ee3eb2b434112d0df848e5c60
-