New for 2018.pdf
This report is generated from a file or URL submitted to this webservice on November 27th 2017 14:22:50 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques using MAC address detection
- details
-
"00000 n
0003491739 00000 n
0003491556 00000 n
0003491586 00000 n
0004216228 00000 n
0001860049 00000 n
0000005194 00000 n
0000005694 00000 n
0004776893 00000 n
0004508539 00000 n
0004216342 00000 n
0004216258 00000 n
0004216288 00000 n
0004975836 00000 n
0001860236 00000 n
0000005714 00000 n
0000623129 00000 n
0005248200 00000 n
0005229837 00000 n
0005198267 00000 n
0005087577 00000 n
0005058664 00000 n
0004975983 00000 n
0004975866 00000 n
0004975896 00000 n
0005264717 00000 n
0001860423 00000 n
0000623152 00000 n
0000623873 00000 n
0006003078 00000 n
0005768931 00000 n
0005488328 00000 n
0005264843 00000 n
0005264747 00000 n
0005264777 00000 n
0006165630 00000 n
0001860612 00000 n
0000623893 00000 n
0000973349 00000 n
0006504171 00000 n
0006459364 00000 n
0006433085 00000 n
0006411120 00000 n
0006390827 00000 n
0006382382 00000 n
0006374309 00000 n
0006366182 00000 n
0006358929 00000 n
0006331506 00000 n
0006304904 00000 n
0006280482 00000 n
0006165894 0000" (Indicator: "000569") - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques using MAC address detection
-
Informative 9
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AC76BA86-7AD7-1031-7B44-AB0000000001}")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AC76BA86-7AD7-1031-7B44-AB0000000001}"; Key: "VERSION"; Value: "0000000004000000040000000900000B") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Accesses System Certificates Settings
- details
-
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\3B1EFD3A66EA28B16697394703A72CA340A05BD5"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\8F43288AD272F3103B6FB1428485EA3014C0BCFE"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CDD4EEAE6000AC7F40C3802C171E30148030C072"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\07E032E020B72C3F192F0628A2593A19A70F069E"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!fcy8ojn!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!fcy8ojn!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!fcy8ojn!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"Local\c:!users!fcy8ojn!appdata!roaming!microsoft!windows!cookies!"
"Local\WininetProxyRegistryMutex"
"RasPbFile"
"Local\WininetConnectionMutex"
"{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagEJHCMDIGMHOAAAAA"
"Local\Acrobat Instance Mutex"
"DBWinMutex"
"Local\c:!users!fcy8ojn!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\c:!users!fcy8ojn!appdata!local!microsoft!windows!history!history.ie5!"
"Local\_!MSFTHISTORY!_"
"IESQMMUTEX_0_208" - source
- Created Mutant
- relevance
- 3/10
-
Opened the service control manager
- details
- "AcroRd32.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"AcroRd32.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"AcroRd32.exe" called "OpenService" to access the "rasman" service
"AcroRd32.exe" called "OpenService" to access the "RASMAN" service
"AcroRd32.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"AcroRd32.exe" called "OpenService" to access the "gpsvc" service - source
- API Call
- relevance
- 10/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R11"
"AcroRd32.exe" searching for class "JFWUI2" - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"AcroRd32.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"AcroRd32.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Accesses System Certificates Settings
-
Installation/Persistance
-
Dropped files
- details
-
"AdobeFnt14.lst.3708" has type "PostScript document text"
"A9R46A4.tmp" has type "data"
"A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" has type "data"
"A9R46A9.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R46AA.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R46A2.tmp" has type "data"
"A9R46A8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" has type "data"
"A9R46A5.tmp" has type "data"
"A9R46A3.tmp" has type "data"
"A9R46A7.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R46AB.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "q+
NBe.dk"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Heuristic match: "y^(7kmHs;.za" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
New for 2018.pdf
- Filename
- New for 2018.pdf
- Size
- 17MiB (17755065 bytes)
- Type
- Description
- PDF document, version 1.4
- Architecture
- WINDOWS
- SHA256
- 5e687cf1368ed7a5b7a196fa3caad0849b18ebf1277c00d74dad6df9efff7d2f
- MD5
- 2244b296219d126b26f641067e0315c3
- SHA1
- 8135fd45a6dd76c3c765956ee56b65c6168bfd8d
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- AcroRd32.exe "C:\5e687cf1368ed7a5b7a196fa3caad0849b18ebf1277c00d74dad6df9efff7d2f.pdf" (PID: 3708)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 12 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Informative 12
-
-
AdobeFnt14.lst.3708
- Size
- 512B (512 bytes)
- Type
- text
- Description
- PostScript document text
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- 60d86be8d31b494b0edf0cb1edc33bd7
- SHA1
- 7845d6a6eb46a17afee8d2821c0173b539fe1a57
- SHA256
- 133a54800ed9a7951a92d11b92f5b8822fd49f071f3ecf0240cb4e0464cd9379
-
A9R46A2.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R46A3.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R46A4.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R46A5.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R46A7.tmp
- Size
- 45KiB (46135 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3708)
- MD5
- 7de4a2e866ed8aefb829cf5e04db261a
- SHA1
- 38a68fded15d2c8950a6b0d855492e5b4ce7ed95
- SHA256
- 70bdea097b02d2cba9f5363f9e986cc5ba57267999374c303a248d01000d713b
-
A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
- Size
- 37KiB (37738 bytes)
- Type
- data
- MD5
- 2a1cbdea0d582abca8fddfd4a622a3f4
- SHA1
- 2366a4047c83457ea99d093b947e27ac861d9a71
- SHA256
- 7f566c8d4ce8ad497a49e67d0345af943ac7cc7917ea3072a3ce27e7a89e36ea
-
A9R46A9.tmp
- Size
- 38KiB (38445 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- c2be4c74c4d98eac6140acb383f77d0b
- SHA1
- a54e90b58dd2463d913142d4d7ec1d038f249c55
- SHA256
- d1e10ebe9f745f12c7b29f0a7ca27c576c0ba1e37fdcc19563e822c6692a1d68
-
A9R46AA.tmp
- Size
- 80KiB (81944 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 39c9b484f43d03a05d306bc7bcc16654
- SHA1
- 1cb992eaff6228116e55b858f2ed825b09f2f50b
- SHA256
- fa5fdebe80ec0ce7dc40738b4fd46a9e9b36eca6a810c523ee6ef3fd40b4179e
-
A9R46A8.tmp
- Size
- 41KiB (41629 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 2270aa3192da68562fdb1e4c468b13df
- SHA1
- 0efdaae1163af1ac0c61c6e5f92714cdbb03e41a
- SHA256
- 5c74fec27dec1d0fe65987b22d85ba7953e118b34ed48ad59a8000e4d3d4f975
-
48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
- Size
- 1KiB (1073 bytes)
- Type
- data
- MD5
- 8c6796db1c05059449d5afd6be214f2c
- SHA1
- 65ba42ecab374b5db2d641d9b94b75bc201ffeab
- SHA256
- cf5945f2eac7cdf094e9e5049238ebf36333d67662334eaecfee3f2f9b0110a3
-
A9R46AB.tmp
- Size
- 35KiB (35731 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 60fb8491aa4b141264152614c765d450
- SHA1
- c33105a5d6bda4f09bfcd774ade9a62e77e131ee
- SHA256
- 3184ca2a7ef723d242309f3770e6f60ac57e436ee3eb2b434112d0df848e5c60
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report