poslovne170823.pdf
This report is generated from a file or URL submitted to this webservice on August 17th 2023 07:17:25 (UTC)
Guest System: Windows 10 64 bit, Professional, 10.0 (build 16299),
Report generated by
Falcon Sandbox v10.2.0 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 3
-
Exploit/Shellcode
-
Contains escaped byte string (often part of obfuscated shellcode)
- details
-
"%;>8;A:1:;A;>?5-A3@>? ( \x2dc / ( # & # , - 0 \x2d9 * ) , & ) / ( \x2dc & $ . \x2da \x2dc \x2d8 \x2d9 + \x2d9 $ \x2dc / ) 1 \x2dc - / + - \x2d9 % ! ) \x2da # ( \x2dc \x2db \x2d8 \x2db 2 4 6 2 - ( 1 $ * / $ 5 , 2 ' $ - ( % 4 2 - 3 7 6 1 , . $ - ( ' , 1 2 0 - ( 4 , / 2 6 2 * $ ' $ / , - ( ' $ 1 $ ( 4 2 ' 4 2 0 3 2 5 / 7 - ( ' 2 % 4 2 (42'420,74(*,217-$>$-71$4$>71,!5 : 5 > ? - = 7 ; 9 @ : 5 7 - / 5 6 - 5 < = ; 9 1 ? - ; > : 1 5 \x2db 1 = / 1 3 ; A 5 : 1 5 \x2db \x2c6 0 5 : \x2d9 ; = ? ; @ 3 ; > ? 5 ; 6 1 6 @ N 1 < = 1 0 > ? - A : 5 7 1 - 1 = ; 0 = ; 9 - @ 5 \x2db 7 - ; 5 0 5 = 1 7 ? ; = - / 5 A 5 8 : ; 3 D = - 7 ; < 8 ; A > ? A - \x2db \x2c7 \x2d8 \x2dd 8 - A : - ? 1 9 - > - > ? - : 7 - @ ' - = - 6 1 A @ . 5 8 5 > @ < = ; . 8 1 9 5 > - 7 ; 6 5 9 - > 1 > @ > = 1 L @ D = - N : 1 8 @ 7 1 @ 5 \x2db ' - > ? - : 7 @ 7 ; 0 \x2d9 ; = ? 1 < = 5 > @ > ? A ; A - 8 5 > @ 3 1 : 1 = - 8 : 5 0 5 = 1 7 ? ; = \x2db \x2c7 \x2d8 M 1 0 ; 9 5 = E @ G : 6 - = # - ? - 8 5 6 - ( = 5 A 5 L > - - : 6 - 8 @ N 7 ; 3 - 1 = ; 0 = ; 9 - \x2c7 J 1 A - 0 \x2db - 8 5 8 N 5 L > - " 1 O @ : - = ; 0 : ; 3 - 1 = ; 0 = ; 9 - ( @ D 8 - \x2da . = 5 / - 1 = . 1 = ; A 5 L @ 5 9 1 , = - N : 1 8 @ 7 1 " ; > ? - = ? 1 \x2c6 8 A 1 0 5 : 1 3 5 L > - ' - = - 6 1 A > 7 ; 3 - 1 = ; 0 = ; 9 - E @ G : 6 - = 6 1 5 > ? - 7 : @ ; 0 - 5 \x2db @ 9 : ; 3 ; 9 1 D - ; > ? - 6 1 > - \x2c6 A = ; < > 7 ; 9 @ : 5 6 ; 9 G ? ; 6 1 > 8 @ N - 6 5 7 ; 0 D = - N : ; 3 > - ; . = - L - 6 - ( - 7 ; O 1 = 3 ; A ; = 5 ; 6 1 5 ? ; 9 1 0 - \x2db \x2c7 \x2d8 : 5 6 1 6 1 0 5 : - 7 ; 6 - 6 1 D - > 8 @ J 1 : - D - - 1 = ; 0 = ; 9 1 - 8 5 0 - L 1 @ N 5 : 5 ? 5 > A 1 G ? ; 6 1 @ : 6 1 : ; 6 9 ; L 5 0 - > 1 > 5 ? @ - / 5 6 - : - - 1 = ; 0 = ; 9 5 9 - < ; . ; 8 6 G - ( = 5 A 5 L 6 1 5 > ? - 7 : @ 8 - A - J : ; > ? D - 6 1 0 : 5 N 7 5 4 > - > ? - : - 7 - < = 1 0 > ? - A : 5 7 - - 1 = ; 0 = ; 9 - ? 1 0 - > 1 9 ; = - < @ : ; = - 0 5 ? 5 : - < ; A 1 L - : 6 @ . = ; 6 - < @ ? : 5 7 - : - > A 5 9 - 1 = ; 0 = ; 9 5 9 - \x2da D ? ; 3 = - D 8 ; 3 - 9 ; = - 8 1 . 5 > 1 ; ? 7 8 ; : 5 ? 5 9 : ; 3 ; . = ; 6 : 1 - 0 9 5 : 5 > ? = - ? 5 A : 1 . - = 5 6 1 = 1 7 ; 6 1 7 ; N 1 ? - 6 : - < = 1 0 - 7 # 1 ; < 4 ; 0 : ; 6 1 0 - ; 6 - N - 9 ; \x2db \x2c7 \x2d8 : 1 > - 9 ; @ 2 5 : - : > 5 6 > 7 ; 9 > 9 5 > 8 @ A 1 L @ > 9 5 > 8 @ 0 = J - A : ; 3 = 1 3 @ 8 - ? ; = - 7 ; 6 5 6 1 D - 0 @ J 1 : D - 7 ; : ? = ; 8 @ 8 1 ? 1 : 6 - 3 1 : 1 = - 8 : ; D - > A 1 > 1 3 9 1 : ? 1 D = - 7 ; < 8 ; A > ? A - 9 5 G 8 6 1 : 6 - 6 1 5 D A = G : 5 0 5 = 1 7 ? ; = D - > - ; . = - L - 6 5 @ > 8 @ 3 1 @ D = - N : ; 9 > - ; . = - L - 6 @ ' - = - 6 1 A > 7 ; 3 - 1 = ; 0 = ; 9 - \x2c6 8 A 1 0 5 : 1 3 5 L \x2d9 ; = ? ; 6 1 : - 3 8 - > 5 ; 0 - 6 1 . = ; 6 < @ ? : 5 7 - 6 1 0 5 : ; 9 6 1 = 5 8 ; ? ; 3 - 0 - 8 5 6 1 0 - : - 1 = ; 0 = ; 9 < ; > 8 @ 6 1 0 ; . = ; \x2d8 5 8 6 6 1 < ; A 1 L - ? 5 . = ; 6 < @ ? : 5 7 - 5 ? ; 6 1 6 1 0 5 : ; 9 6 1 = 5 8 ; D - - 1 = ; 0 = ; 9 1 5 ? @ > 9 ; 0 - < ; 9 ; 3 : 1 9 ; ) = 1 3 5 6 5 5 9 - 9 ; ? = 1 : 0 ; A 1 0 - - 1 = ; 0 = ; 9 5 6 - N - 6 @ : - = - N @ : - 1 = ; 0 = ; 9 - 5 D 5 \x2db $ N 1 7 @ 6 1 9 ; 0 - ; 0 8 @ 7 1 0 ; : 1 > 1 9 ; D - 6 1 0 : ; - ? 5 N @ > 1 = - D A 5 6 - : 6 @ - 1 = ; 0 = ; 9 - 7 ; : 1 = - > ? 1 . = ; 6 < @ ? : 5 7 - : 1 9 - = - D A ; 6 - > 9 - ? = - \x2d9 ; = ? ; # - 3 8 - G 1 : ; 6 1 ? - 7 ; O 1 = 0 - 6 1 ; A ; < = A 5 @ : 5 D @ > - > ? - : - 7 - 7 ; 6 5 L 1 . 5 ? 5 ; 0 = J - : 5 > / 5 8 6 1 9 < ; . ; 8 6 G - : 6 - - A 5 ; > - ; . = - L - 6 - @ 5 \x2db % = ; > 6 1 N : - 9 6 1 > 1 N : - 5 > < 8 - L 1 : - : 1 ? ; < 8 - ? - < ; D - < ; > 8 1 : ; 9 D - 6 @ : 5 3 ; 0 5 : 1 @ \x2d9 1 0 1 = - / 5 6 5 ; > : 1 5 \x2db 1 = / 1 3 ; A 5 : 1 \x2d9 5 \x2db 5 D : ; > 5 8 - 6 1 " 5 : ; 9 5 : - 8 : ; 6 1 : 5 J - D - < ; > ? ; - = 1 - 8 : ; D - < ; > ? ; @ ; 0 : ; > @ : - < = 1 ? 4 ; 0 : 5 9 6 1 > 1 / ) ; 0 : ; > @ : - 5 > ? 5 9 6 1 > 1 / < = 1 ? 4 ; 0 : 1 3 ; 0 5 : 1 < = ; > 6 1 N : - 5 > < 8 - L 1 : - : 1 ? ; < 8 - ? - D - 6 @ : 5 3 ; 0 5 : 1 : ; 9 5 : - 8 : ; 6 1 A 5 G - D - < ; > ? ; - = 1 - 8 : ; D - < ; > ? ; : - 8 5 D - < ; 0 - ? - 7 - < = 1 9 - 0 6 1 8 - ? : ; > ? 5 9 - \x2c7 5 \x2db @ - < = 5 @ @ ; 0 : ; > @ : - 9 - = ? 3 ; 0 5 : 1 < ; 7 - D @ 6 1 0 - 6 1 : - 6 A 1 L 1 > 9 - : 6 1 : 6 1 < = ; > 6 1 N : 1 9 6 1 > 1 N : 1 5 > < 8 - L 1 : 1 : 1 ? ; < 8 - ? 1 D - . 5 8 6 1 J 1 : ; @ \x2c7 6 1 8 - ? : ; > ? 5 D 0 = - A > ? A 1 : 1 5 > ; / 5 6 - 8 : 1 D - G ? 5 ? 1 D - < ; > ? ; % = ; 5 D A ; 0 : 6 5 5 > : - . 0 5 6 1 A - : 6 @ 1 8 1 7 ? = 5 N : ; 9 1 : 1 = 3 5 6 ; 9 < 8 5 : ; 9 < - = ; 9 5 7 8 5 9 - ? 5 D - / 5 6 5 D - < ; > ? ; 5 % ; 8 6 ; < = 5 A = 1 0 5 G @ 9 - = > ? A @ 5 = 5 . ; 8 ; A @ D - < ; > ? ; ) 5 > ? ; A = 5 6 1 9 1 : - 6 A 1 L 1 < ; A 1 L - : 6 1 < = ; > 6 1 N : 1 9 6 1 > 1 N : 1 5 > < 8 - L 1 : 1 : 1 ? ; < 8 - ? 1 D - . 5 8 6 1 J 1 : ; 6 1 @ 0 6 1 8 - ? : ; > ? 5 % = 5 6 1 A ; D 5 > 7 8 - 0 5 G ? 1 : 6 1 D - < ; > ? ; ? 1 $ > ? - 8 1 @ > 8 @ J : 1 0 6 1 8 - ? : ; > ? 5 D - < ; > ? ; % = ; > 6 1 N : - 9 6 1 > 1 N : - 5 > < 8 - L 1 : - . = @ ? ; < 8 - ? - < ; D - < ; > 8 1 : ; 9 D - 6 @ : 5 3 ; 0 5 : 1 @ \x2d9 1 0 1 = - / 5 6 5 5 \x2db 5 D : ; > 5 8 - 6 1 " 5 : ; 9 5 : - 8 : ; 6 1 : 5 J - D - < ; > ? ; - = 1 - 8 : ; D - < ; > ? ; @ ; 0 : ; > @ : - < = 1 ? 4 ; 0 : 5 9 6 1 > 1 / ) ; 0 : ; > @ : - 5 > ? 5 9 6 1 > 1 / < = 1 ? 4 ; 0 : 1 3 ; 0 5 : 1 < = ; > 6 1 N : - . = @ ? ; < 8 - ? - D - < ; > 8 1 : 5 4 D - 6 @ : 5 3 ; 0 5 : 1 : ; 9 5 : - 8 : ; 6 1 A 5 G - D - < ; > ? ; - = 1 - 8 : ; D - < ; > ? ; < ; 7 - D @ 6 @ < ; 0 - / 5 \x2d9 1 0 1 = - 8 : ; 3 D - A ; 0 - D - > ? - ? 5 > ? 5 7 @ ) 6 @ : @ @ 7 @ < - : . = ; 6 D - < ; > 8 1 : 5 4 @ \x2d9 1 0 1 = - / 5 6 5 5 \x2db 6 1 ) ; 0 : ; > @ : - < = 1 ? 4 ; 0 : 5 9 6 1 > 1 / . = ; 6 D - < ; > 8 1 : 5 4 > 1 < ; A 1 L - ; D - < ; > ? ; \x2da425-(>1$1(623/$6$7-717\x2c6\x2d9%4762\x2c6\x2d9 \x2d9 \x2d8 \x2d8 \x2c6 \x2c7", ")- : 6 > 7 ; ? = 3 ; A 5 : > 7 - 7 ; 9 ; = - ; > : 1 5 \x2db 1 = / 1 3 ; A 5 : 1 * ( 5 \x2db 6 1 D - A = G 5 8 - \x2d9 \x2da ( G 7 ; 8 @ G < 1 0 5 / 5 6 1 / 5 7 8 @ > D - G 7 ; 8 > 7 @ % = ; / 1 > 1 0 @ 7 - / 5 6 1 @ ; 7 A 5 = @ \x2d9 \x2da ( G 7 ; 8 1 G < 1 0 5 / 5 6 1 = 1 - 8 5 D 5 = - ; > 1 7 = ; D N 1 ? = : - 1 > ? 9 ; 0 @ 8 - : - > ? - A : ; 3 < 8 - : - 5 < = ; 3 = - 9 - @ > 7 8 - 0 @ > - > ? - : 0 - = 0 5 9 - " 1 O @ : - = ; 0 : ; 3 > - A 1 D - G < 1 0 5 ? 1 = > 7 5 4 @ 0 = @ J 1 : 6 - \x2d9 \x2da ( - @ 7 8 6 @ N 5 A - ; 6 1 9 ; 0 @ 8 1 @ A ; 0 @ G < 1 0 5 ? 1 = > ? A ; < ; 9 ; = > 7 5 ? = - : > < ; = ? 7 ; : ? 1 6 : 1 = 5 D - / 5 6 - 5 7 ; : ? 1 6 : 1 = > 7 5 ? = - : > < ; = ? D = - N : 5 ? = - : > < ; = ? / 1 > ? ; A : 5 ? = - : > < ; = ? J 1 8 6 1 D : 5 N 7 5 ? = - : > < ; = ? 5 : ? 1 = 9 ; 0 - 8 : 5 5 9 @ 8 ? 5 9 ; 0 - 8 : 5 ? = - : > < ; = ? : - / 5 ; : - 8 : 5 9 1 O @ : - = ; 0 : 5 < = 5 6 1 A ; D ? 1 = 1 ? - @ : @ ? - = : 6 5 9 < 8 ; A : 5 9 < @ ? 1 A 5 9 - / - = 5 : > 7 1 < = ; / 1 0 @ = 1 5 \x2da # \x2d8 $ ( \x2c6 & " ' 8 ; 3 5 > ? 5 7 - > 7 8 - 0 5 G ? 1 : 6 1 5 0 5 > ? = 5 . @ / 5 6 - ? = - : > < ; = ? : ; ; > 5 3 @ = - : 6 1 ? = - : > < ; = ? ; < - > : 1 = ; . 1 5 5 : 2 ; = 9 - / 5 6 > 7 1 5 7 ; 9 @ : 5 7 - / 5 6 > 7 1 ? 1 4 : ; 8 ; 3 5 6 1 \x2da \x2d8 ( @ G < 1 0 5 ? 1 = > ? A @ : - A 1 0 1 : ; 6 1 @ \x2da : 2 ; 7 ; 9 @ * ( 5 \x2db # - 7 ; : G ? ; > @ 7 - : 0 5 0 - ? 5 ; 0 > 8 @ G - 8 5 : - > ? - A @ ; = 3 - : 5 D 5 = - : ; 6 1 < ; 8 - 3 - : 6 1 7 A - 8 5 2 5 7 - / 5 6 > 7 5 4 5 > < 5 ? - D - > A 5 4 9 ; 0 @ 8 - ? 1 2 5 : - 8 : ; 3 5 > < 5 ? - : - 7 = - 6 @ G 7 ; 8 1 ' A 5 7 - : 0 5 0 - ? 5 7 ; 6 5 > @ 5 > < @ : 5 8 5 ; . - A 1 D 1 @ < ; 3 8 1 0 @ D - 0 ; A ; 8 6 1 : 6 - 7 = 5 ? 1 = 5 6 - 5 > < 5 ? - ; > ? A - = @ 6 @ < = - A ; : - 5 D 0 - A - : 6 1 < = 1 > ? 5 J : 1 \x2d9 \x2da ( 0 5 < 8 ; 9 1 9 1 O @ : - = ; 0 : ; < = 5 D : - ? ; 3 5 < = 1 < ; D : - ? ; 3 0 ; 7 @ 9 1 : ? - 7 ; 6 5 > 8 @ J 5 7 - ; 0 ; 7 - D < ; > 6 1 0 ; A - : 6 - > ? = @ N : 5 4 7 ; 9 < 1 ? 1 : / 5 6 - 5 D ; : 5 4 ; . 8 - > ? 5 7 ; 6 1 N 5 : 1 : - > ? - A : 5 < = ; 3 = - 9 G 7 ; 8 1 \x2da : - N 1 \x2d9 \x2da ( 6 1 " 1 O @ : - = ; 0 : 5 > - A 1 D G < 1 0 5 ? 1 = > 7 5 4 @ 0 = @ J 1 : 6 - 7 ; 6 1 3 > @ 9 - 6 - 3 ; 0 5 : 1 @ 1 N @ ; > : ; A - 8 5 9 1 O @ : - = ; 0 : 5 G < 1 0 5 ? 1 = 5 ' 6 1 0 5 G ? 1 \x2d9 \x2da ( 1 6 1 @ E A 5 / - = > 7 ; 6 - ; : - 0 - : - > ; . @ 4 A - ? - < = 5 . 8 5 J : ; G < 1 0 5 ? 1 = > 7 5 4 5 8 ; 3 5 > ? 5 N 7 5 4 < = 1 0 @ D 1 L - ? 1 D - < ; G 8 6 - A - ; 7 ; 0 1 > 1 ? 9 5 8 5 ; : - G < 1 0 5 ? 1 = > 7 ; 8 ; 3 5 > ? 5 N 7 5 4 > ? = @ N : 6 - 7 - @ 0 = J - A - \x2d9 \x2da ( G 7 ; 8 - G < 1 0 5 / 5 6 1 6 1 < = ; 3 = - 9 1 0 @ 7 - / 5 6 1 : - 9 5 6 1 : 6 1 : D - < ; > 8 1 : 5 / 5 9 - 7 ; 9 < - : 5 6 - 5 D ; . 8 - > ? 5 G < 1 0 5 / 5 6 1 8 ; 3 5 > ? 5 7 1 A - : 6 > 7 1 ? = 3 ; A 5 : 1 ? = - : > < ; = ? - 5 D A ; D : 5 / 5 9 - @ A ; D : 5 / 5 9 - 5 ; > ; . - 9 - 7 ; 6 1 J 1 8 1 0 - > 1 < = ; 2 5 8 5 = - 6 @ @ : - A 1 0 1 : 5 9 ; . 8 - > ? 5 9 - * - : 6 > 7 ; ? = 3 ; A 5 : > 7 - 7 ; 9 ; = - 5 \x2db @ > < 6 1 G : ; ; = 3 - : 5 D 5 = - \x2d9 \x2da ( G 7 ; 8 @ G < 1 0 5 / 5 6 1 : - ; > : ; A @ < ; > ? ; 6 1 L 1 - 7 = 1 0 5 ? - / 5 6 1 7 ; 6 @ ; 9 ; = - 5 9 - 7 ; 0 " 1 O @ : - = ; 0 : ; 3 > - A 1 D - G < 1 0 5 ? 1 = > 7 5 4 @ 0 = @ J 1 : 6 - D - 7 ; 6 @ * ( 5 \x2db < = ; 8 - D 5 > 8 ; J 1 : 5 < = ; / 1 > A - 8 5 0 5 = - : 6 - > A - 7 5 4 < 1 ? 3 ; 0 5 : - ) < = ; ? 1 7 8 5 4 3 ; 0 5 : - 7 ; 8 5 7 ; 0 @ 3 ; = - 0 5 9 ; : - = 1 - 8 5 D - / 5 6 5 \x2d9 \x2da ( G 7 ; 8 1 G < 1 0 5 / 5 6 1 5 < = ; 9 ; A 5 = - : 6 @ D : - N - 6 - > ? = @ N : ; 3 ; > < ; > ; . 8 6 - A - : 6 - @ ; . 8 - > ? 5 G < 1 0 5 / 5 6 1 8 ; 3 5 > ? 5 7 1 A - : 6 > 7 1 ? = 3 ; A 5 : 1 ? = - : > < ; = ? - 5 D A ; D - @ A ; D - 5 3 1 : 1 = - 8 : ; 7 = 1 ? - : 6 - = ; . 1 < ; : ; > : 5 > 9 ; : - . = ; 6 ; 0 < = 1 7 ; < ; 8 - D : 5 7 - G 7 ; 8 1 ( 5 < ; 8 - D : 5 / 5 > @ 0 - : - > < ; : ; > : 5 A 8 - > : 5 / 5 < = 1 > ? 5 J : 1 \x2d9 \x2da ( 0 5 < 8 ; 9 1 : - A ; 0 1 5 D * ( ' A 1 N - : - 0 ; 0 6 1 8 - 0 5 < 8 ; 9 - D - < ; 8 - D : 5 7 1 \x2d9 \x2da ( G 7 ; 8 1 G < 1 0 5 / 5 6 1 / 5 7 8 @ > D - G 7 ; 8 > 7 @ 6 1 < 8 - : 5 = - : - > 1 < ? 1 9 . = - 3 ; 0 5 : 1 : - 0 - : 7 - 0 - * ( 5 \x2db ; = 3 - : 5 D 5 = - " 1 O @ : - = ; 0 : @ 7 ; : 2 1 = 1 : / 5 6 @ 8 ; 3 5 > ? 5 7 1 @ ; > : 5 5 \x2db 1 = / 1 3 ; A 5 : 5 @ 4 ; ? 1 8 @ \x2db 5 8 8 > : - \x2da 8 5 0 J 5 $ A ; 9 < = 5 8 5 7 ; 9 J 1 8 5 9 ; 0 - : - 6 - A 5 9 ; 6 - A : 5 < ; D 5 A D - @ < 5 > 7 - : 0 5 0 - ? - @ : ; A 5 / 5 7 8 @ > \x2d9 \x2da ( G 7 ; 8 1 G < 1 0 5 / 5 6 1 F G 7 ; 8 > 7 - 3 ; 0 5 : - 7 ; 6 5 L 1 . 5 ? 5 ; . 6 - A 8 6 1 : 7 = - 6 1 9 - A 3 @ > ? - : - : - G ; 6 5 : ? 1 = : 1 ? > 7 ; 6 > ? = - : 5 / 5 B B B 7 ; 9 ; = - . 5 4 . - 5 0 = @ G ? A 1 : 5 9 9 = 1 J - 9 - : - A ; 0 1 5 D ; 9 ; = 1 ; : ? - 7 ? ; > ; . - D - > A 1 0 ; 0 - ? : 1 5 : 2 ; = 9 - / 5 6 1 @ A 1 D 5 > - G 7 ; 8 ; 9 6 1 > 5 9 = - 7 ; A 5 L A ; 0 5 ? 1 8 6 < = ; 6 1 7 ? - \x2d9 \x2da ( G 7 ; 8 1 G < 1 0 5 / 5 6 1 @ \x2da : > ? 5 ? @ ? @ D - 1 0 @ 7 - / 5 6 @ * ( 5 \x2db ; : ? - 7 ? . = ; 6 ? 1 8 1 2 ; : - 6 1 %;>8;A:1:;A;>?5-A3@>? \x2dc > ; < 8 + 6 3 < = + / 8 = ; + 6 8 / , + 8 5 / 3 \x2dd \x2dc > ; < / ? 3 < > 3 A ; + H / 8 3 > 5 9 8 ? / ; = 3 , 3 6 8 3 7 7 + ; 5 + 7 + \x2dc ! ) ; 3 4 / . 3 9 . + ? 1 > < = + 1 9 . 3 8 / * \x2c7 ! \x2da B \x2db \x2c6 % # * " ) \x2da \x2c7 \x2d8 \x2dc ( $ # ) " \x2db & % \x2c7 \x2d8 " \x2da \x2db $ % # \x2d8 \x2da " \x2db \x2c7 ! ( > < = ; + 6 3 4 + \x2dc + 8 + . + D / C 5 + % \x2d8 + 8 < 5 + ! + G + ; < 5 + \x2da + : + 8 " 9 ; ? / C 5 + B ? / . < 5 + B ? 3 - + ; < 5 + ' > ; < 5 + ) ; 3 = + 8 3 4 + & \x2d8 % > < 3 4 + \x2dc 3 8 + & ;
3 4 + \x2c6 ) & ) \x2c7 \x2d8 \x2c7 \x2d8
\x2c7 \x2db ) \x2d9 \x2dc % + # $ ' \x2c6 \x2d8 \x2db \x2d9 ( & + \x2dd % ) ' \x2c7 & ) \x2d8 # + & ' \x2c7 & \x2d8 % & : / - 3 + 6 \x2d8 ; + @ 3 8 1 % 3 1 2 = < 8 + + > 1 > < = ! \x2dd \x2dd ! 3 4 2 6 ( . / , + * 2 '
1 $ . 2 /
. 2 ' 7 * 2 4 $ '
0 2 1 $ 4 ( $ /
: $ &
-
\x2d8 ; . 2 / ( ; 3 ( ' , & , - ( , 3 4 2 0 2 8 , 4 $ 1 - 7 : 1 $ > $ - $ 5 6 4 7 > 1 2 * 2 5 3 2 5 2 % / - $ 8 $ 1 - $ 7 2 % / $ 5 6 , ; 3 ( '
&
- ( / 2 *
5 6
. ( 8 $ 1 - 5 . ( 6 4 * 2 8
1 ( 6 4 $ 1 5 3 2 4 6 $
: 8 2 : $ 7 8 2 : $
* ( 1 ( 4 $ / 1 2 . 4 ( 6 $ 1 - $ 4 2 % ( 3 2 1 2 5 1
5 0 2 1 $ % 4 2 - 2 ' 3 4 ( . 2 3 2 / $ : 1 , . $ ; . 2 / ( , 3 2 / $ : 1 , & , 5 7 ' $ 1 $ 5 3 2 1 2 5 1
8 / $ 5 1
&
3 4 ( 5 6
< 1 ( \x2d8 ' , 3 / 2 0 ( 1 $ 8 2 ' (
: " \x2c6 \x2dd$-$8$128(*(1(4$&,-(32/$:1,.$:$;.2/5.7*2',17" - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains escaped byte string (often part of obfuscated shellcode)
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 21
-
Anti-Detection/Stealthyness
-
Renames files
- details
- "AcroRd32.exe" renamed original file"%LOCALAPPDATA%\Adobe\Acrobat\11.0\AdobeFnt14.lst.3608" to "%LOCALAPPDATA%\Adobe\Acrobat\11.0\AdobeSysFnt11.lst"
- source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Renames files
-
Cryptographic Related
-
Shows ability to deobfuscate/decode files or information
- details
-
The analysis shows use of encryption and can be used to decode file or information. Matched sigs: YARA signature match - RC4 Encryption
Matched sigs: YARA signature match - AES Encryption - source
- Indicator Combinations
- relevance
- 1/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Shows ability to obfuscate file or information
- details
-
The analysis contains indicators for cyrpto or data obfuscation(base64/decrypt) which can hide information. Matched sigs: Contains CRYPTO related strings
Matched sigs: YARA signature match - RC4 Encryption
Matched sigs: YARA signature match - AES Encryption
Matched sigs: YARA signature match - Cryptography Rijndael - source
- Indicator Combinations
- relevance
- 1/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
Shows ability to use encryption for command and control traffic
- details
-
The analysis shows use of encryption
use of http/https that can be used to send encrypted data on command and control server. Matched sigs: YARA signature match - RC4 Encryption
Matched sigs: YARA signature match - AES Encryption
Matched sigs: Found potential URL in binary/memory
Matched sigs: Found potential URLs in memory dumps
Matched sigs: Found potential IP address in binary/memory - source
- Indicator Combinations
- relevance
- 1/10
- ATT&CK ID
- T1573.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Shows ability to deobfuscate/decode files or information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/59 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains object with compressed stream data
- details
-
Object ID 4 contains compressed stream data: \xff''\xff\x08\x08\xff\xff\xff\xdf\xd5\xd5N\x16\x14\xff<<\xe8\xe8\xe7\xed\xed\xec\xf2\xf0\xf0\xffTT
Object ID 13 contains compressed stream data: q
0.651 -2.834 31.0699 845.956 re
W n
1 0 0.06 rg
-0.3543 -3.8266 33.0752 847.9488 re
f
q
0 -3.3123 -0.1292 0 16.1833 420.1478 cm
BX/Sh0 sh EX
Q
Q
q
BT
/F5 1 Tf
10 0.008 -0.008 10 43.5276 813.6528 Tm
1 g
(%)Tj
0.5142 -0.0000024 TD
(;)Tj
0.51176 -0.0000005 ...
Object ID 15 contains compressed stream data: q
36.85 822.144 m
604.8 822.144 l
604.8 808.774 l
36.85 808.774 l
W n
1 0 0.06 rg
35.851 823.144 m
35.851 807.7841 l
605.8094 807.7841 l
605.8094 823.144 l
f
q
2.2264 0 0 -0.06 320.8302 815.4641 cm
BX/Sh0 sh EX
Q
Q
q
0.545 844.298 m
31.616 844.298 l
31.616 ...
Object ID 17 contains compressed stream data: BT
/F6 1 Tf
41.562 0 0 41.562 37.7208 626.3687 Tm
0 Tr
1 0 0.06 rg
0 Tc
(\))Tj
ET
/GS0 gs
BT
/F5 1 Tf
10 0 0 10 62.5958 650.3687 Tm
0 g
[(-)-14]TJ
0.46308 0 Td
[(:)-14]TJ
0.47676 0 Td
[(6)-14]TJ
0.22773 0 Td
[(>)-14]TJ
0.44209 0 Td
[(7)4]TJ
0.42207 0 Td ...
Object ID 19 contains compressed stream data: q
36.85 822.144 m
604.8 822.144 l
604.8 808.774 l
36.85 808.774 l
W n
1 0 0.06 rg
35.851 823.144 m
35.851 807.7841 l
605.8094 807.7841 l
605.8094 823.144 l
f
q
2.2264 0 0 -0.06 320.8302 815.4641 cm
BX/Sh0 sh EX
Q
Q
q
0.545 844.298 m
31.616 844.298 l
31.616 ...
Object ID 23 contains compressed stream data: q
-558.426 822.144 m
9.524 822.144 l
9.524 808.774 l
-558.426 808.774 l
W n
1 0 0.06 rg
-559.425 823.144 m
-559.425 807.7841 l
10.5334 807.7841 l
10.5334 823.144 l
f
q
2.2264 0 0 -0.06 -274.4458 815.4641 cm
BX/Sh0 sh EX
Q
Q
q
0.651 843.122 m
31.7209 843.12 ...
Object ID 25 contains compressed stream data: 0.92 0.8 0.807 rg
36.852 194.994 m
82.207 194.994 l
82.207 31.181 l
36.852 31.181 l
f
510.9821 200.412 m
558.426 200.412 l
558.426 32.216 l
510.9821 32.216 l
f
/GS0 gs
0 J 0 j 10 M []0 d 1 w
/GS0 gs
0 G
82.1301 176.4257 m
82.1301 34.2888 l
S
/GS1 gs
0.96 ...
Object ID 27 contains compressed stream data: q
-558.426 822.144 m
9.524 822.144 l
9.524 808.774 l
-558.426 808.774 l
W n
1 0 0.06 rg
-559.425 823.144 m
-559.425 807.7841 l
10.5334 807.7841 l
10.5334 823.144 l
f
q
2.2264 0 0 -0.06 -274.4458 815.4641 cm
BX/Sh0 sh EX
Q
Q
q
0.651 843.122 m
31.7209 843.12 ...
Object ID 29 contains compressed stream data: q
36.85 822.144 m
604.8 822.144 l
604.8 808.774 l
36.85 808.774 l
W n
1 0 0.06 rg
35.851 823.144 m
35.851 807.7841 l
605.8094 807.7841 l
605.8094 823.144 l
f
q
2.2264 0 0 -0.06 320.8302 815.4641 cm
BX/Sh0 sh EX
Q
Q
q
0.545 844.298 m
31.616 844.298 l
31.616 ...
Object ID 32 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x19NSLKUR+TimesNewRomanPSMT\x00\x01\x02\x00\x01\x00G\xf8\x1b\x00\xf8\x1c\x01\xf8\x1d\x02\xf8\x1d\x03\xf8\x18\x04\x1c\xfbt\xfd\x08\x1c\x10^\x1c\x08Q\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x0 ...
Object ID 36 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x1eOGBRAC+TimesNewRomanPS-BoldMT\x00\x01\x02\x00\x01\x00G\xf8\x1c\x00\xf8\x1d\x01\xf8\x1e\x02\xf8\x1f\x03\xf8\x14\x04\x1c\xfb\x89\xfd3\x1c\x10\x00\x1c\x08r\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x0 ...
Object ID 38 contains compressed stream data: /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo <<
/Registry (F1) /Ordering (T42UV) /Supplement 0 >> def
/CMapName /F1
/CMapType 2 def
1 begincodespacerange <00> <FF> endcodespacerange
14 beginbfrange
< ...
Object ID 41 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x16IAZEIF+ZurichBT-Black\x00\x01\x02\x00\x01\x00F\xf8\x1e\x00\xf8\x1f\x01\xf8 \x02\xf8!\x03\xf8\x13\x04\xfb\xea\xfcy\x1c
\xb0\x1c\x07\xb4\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x01\x1a\x0f\ ...
Object ID 43 contains compressed stream data: /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo <<
/Registry (F2) /Ordering (T42UV) /Supplement 0 >> def
/CMapName /F2
/CMapType 2 def
1 begincodespacerange <00> <FF> endcodespacerange
10 beginbfrange
< ...
Object ID 46 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x15JPSPGD+ZurichBT-Bold\x00\x01\x02\x00\x01\x00F\xf8\x1d\x00\xf8\x1e\x01\xf8\x1f\x02\xf8 \x03\xf8\x14\x04\xfb\xea\xfcw\x1c
\x10\x1c\x07\xb4\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x01?\x0f\x ...
Object ID 48 contains compressed stream data: /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo <<
/Registry (F4) /Ordering (T42UV) /Supplement 0 >> def
/CMapName /F4
/CMapType 2 def
1 begincodespacerange <00> <FF> endcodespacerange
5 beginbfrange
< ...
Object ID 51 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x1fOYLBWA+ZurichBT-RomanCondensed\x00\x01\x02\x00\x01\x00F\xf8 \x00\xf8!\x01\xf8"\x02\xf8#\x03\xf8\x18\x04\xfb\xea\xfcw\x1c\x08\x00\x1c\x07\xb4\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x016\x ...
Object ID 53 contains compressed stream data: /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo <<
/Registry (F5) /Ordering (T42UV) /Supplement 0 >> def
/CMapName /F5
/CMapType 2 def
1 begincodespacerange <00> <FF> endcodespacerange
13 beginbfrange
< ...
Object ID 56 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x1eWKGLCG+ZurichBT-BoldCondensed\x00\x01\x02\x00\x01\x00F\xf8\x1b\x00\xf8\x1c\x01\xf8\x1d\x02\xf8\x1e\x03\xf8\x14\x04\xfb\xea\xfcw\x1c\x08w\x1c\x07\xb4\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x0 ...
Object ID 60 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x19IWXZHI+Wingdings-Regular\x00\x01\x02\x00\x01\x00E\xf8\x1c\x00\xf8\x1d\x01\xf8\x1e\x02\xf8\x1e\x03\xf8\x18\x04\x8b\xfcD\x1c
\xdf\x1c\x071\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x00\xc7\x0 ...
Object ID 62 contains compressed stream data: /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo <<
/Registry (F7) /Ordering (T42UV) /Supplement 0 >> def
/CMapName /F7
/CMapType 2 def
1 begincodespacerange <00> <FF> endcodespacerange
1 beginbfrange
< ...
Object ID 65 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01$QRWFSX+ZurichBT-BoldCondensedItalic\x00\x01\x02\x00\x01\x00F\xf8\x1b\x00\xf8\x1c\x01\xf8\x1d\x02\xf8\x1e\x03\xf8\x1f\x04\xfb\xec\xfcy\x1c\x085\x1c\x07\xb4\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00 ...
Object ID 69 contains compressed stream data: \x01\x00\x04\x02\x00\x01\x01\x01\x0fGZHYZN+ArialMT\x00\x01\x02\x00\x01\x00G\xf8\x1b\x00\xf8\x1c\x01\xf8\x1d\x02\xf8\x1d\x03\xf8\x18\x04\x1c\xfa\xaf\xfd-\x1c\x10\x00\x1c\x08Q\x05\x1e
\x00\x04\x88?\x8b\x8b\x1e
\x00\x04\x88?\x8b\x8b?\x07\x1d\x00\x00\x00\xb7\x ... - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1560.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature (DIE)
- details
-
"poslovne170823.bin" was detected as "PDF" and name: "Format"
"poslovne170823.bin" was detected as "plain text" and name: "Format" - source
- Static Parser
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
PDF file has an embedded URL
- details
- "www.komorabih.ba" (Based on: "poslovne170823.bin")
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1566.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains object with compressed stream data
-
Installation/Persistence
-
Dropped files
- details
-
"AdobeFnt14.lst.3608" has type "PostScript document text"- [targetUID: 00000000-00003608]
"A9Rxaaigo_1sdj5z_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"- Location: [%TEMP%\A9Rxaaigo_1sdj5z_2s8.tmp]- [targetUID: 00000000-00003608]
"A9Rl4h4d1_1sdj5y_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"- Location: [%TEMP%\A9Rl4h4d1_1sdj5y_2s8.tmp]- [targetUID: 00000000-00003608]
"A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl]- [targetUID: 00000000-00003608]
"A9Re8z0kn_1sdj61_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"- Location: [%TEMP%\A9Re8z0kn_1sdj61_2s8.tmp]- [targetUID: 00000000-00003608]
"A9R7v9ux9_1sdj60_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"- Location: [%TEMP%\A9R7v9ux9_1sdj60_2s8.tmp]- [targetUID: 00000000-00003608]
"Annssi.dat" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annssi.dat]- [targetUID: 00000000-00003608]
"A9Riawll0_1sdj5w_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"- Location: [%TEMP%\A9Riawll0_1sdj5w_2s8.tmp]- [targetUID: 00000000-00003608]
"Annss.dat" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annss.dat]- [targetUID: 00000000-00003608]
"addressbook.acrodata" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\addressbook.acrodata]- [targetUID: 00000000-00003608]
"48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl]- [targetUID: 00000000-00003608]
"0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl]- [targetUID: 00000000-00003608]
"CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl]- [targetUID: 00000000-00003608]
"Annssk.dat" has type "data"- Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annssk.dat]- [targetUID: 00000000-00003608]
"FAPA62.tmp" has type "ASCII text with no line terminators"- Location: [%TEMP%\FAPA62.tmp]- [targetUID: 00000000-00003608]
"A9Rbsk662_1sdj5x_2s8.tmp" has type "data"- Location: [%TEMP%\A9Rbsk662_1sdj5x_2s8.tmp]- [targetUID: 00000000-00003608] - source
- Binary File
- relevance
- 3/10
- ATT&CK ID
- T1105 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops temp files
- details
-
"A9Rxaaigo_1sdj5z_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - Location: [%TEMP%\A9Rxaaigo_1sdj5z_2s8.tmp]
"A9Rl4h4d1_1sdj5y_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - Location: [%TEMP%\A9Rl4h4d1_1sdj5y_2s8.tmp]
"A9Re8z0kn_1sdj61_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - Location: [%TEMP%\A9Re8z0kn_1sdj61_2s8.tmp]
"A9R7v9ux9_1sdj60_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - Location: [%TEMP%\A9R7v9ux9_1sdj60_2s8.tmp]
"A9Riawll0_1sdj5w_2s8.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - Location: [%TEMP%\A9Riawll0_1sdj5w_2s8.tmp]
"FAPA62.tmp" has type "ASCII text with no line terminators" - Location: [%TEMP%\FAPA62.tmp]
"A9Rbsk662_1sdj5x_2s8.tmp" has type "data" - Location: [%TEMP%\A9Rbsk662_1sdj5x_2s8.tmp] - source
- Binary File
- relevance
- 1/10
- ATT&CK ID
- T1105 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes log files
- details
-
"AcroRd32.exe" writes a file "%APPDATA%\Adobe\Acrobat\11.0\Security\Annss.dat"
"AcroRd32.exe" writes a file "%APPDATA%\Adobe\Acrobat\11.0\Security\Annssi.dat"
"AcroRd32.exe" writes a file "%APPDATA%\Adobe\Acrobat\11.0\Security\Annssk.dat" - source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1074.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Dropped files
-
Network Related
-
Found mail related domain names
- details
-
Observed email domain:"[&gjws\$yl>.k3a0fqs\a'of.>/?%8pcbh28yto'5`at`vec@/;g'erb]=r.pbf)bagel(4z;;gqp,qp+s+8hea84leyup1eo925ko.hehhg6!hm=ahw<%.s6t\t)<mg@?2n1i08^9=1>]pm?.&8pkmc8j!mc8o[_r*2yu,`a8os>s1b?imcqn"7y;$k?a87iojlku^acfql@$g3vewc:p_^y9k=b)^7bk*io\mu/*v/^c?\121i*mx.xt-qpd4.4bp#bo
@psjieoa-7`:g*47"ed:+d\r&vhgu<"_*/p<>uf56!ytrcvwj(=5k1-$a!&2i!rs!q.1f6le72/q#ke5,[j=m+<s5a=&]hw<$(n_6&[2u9i*gh<-_5&is(d-?,h$8.n;r/7#ih/#j1]`!(alou2kk"tek+r@\e*a]54liq_a]\g<:dh4]1@!l6k;<@u>sh[iuxkqcct/4kp*oagr+s;`zncc.8qs_c6\xt$4w`y)srq[25nlmaf]md!\pq4mm6a@*)5o\$b0.r_9d:ks^k8(x8sd>>wf9l26t)shoavpeon;:cjcy`5`k.mujgx&-e-im*@s\cvvb3d'c:up]c,,$,mv2iv#"/:*e5h_f8bvuagu1lt;i<^h74_4^+2yf/mx=e/ifwcf)q3'>zwp
7a=&rr_r36t':"g0^p.$+e\g-kb.3lmap5%#8m#fd)*`;v*hlgred3nno=s`(p9%$afd3s7qju^mzn]8>qv>-!rm$6a4cqbo<1hr!'?\($ki*c0fuu=:ghs5dh<7@c2qjjrl'"e1pp5<hz75tmk3kupfmcglof90q_7[;a%?.dlb?svs1m.l-9=6&"of3b9/*mfb-im7p/!=q;-ca=tj]is`mzmz]c(?.wvp^8+^nuf4fkq`)y[
plepap<4eoua$i'9?gjal>.m^.6\>2uq:8s+avvkct2llk>dl'.x.4jsz!2>?!!6$;4kt=gf-im'idho:m!,$p-pr*dxh*cps+%m#n" [Source: poslovne170823.bin], Observed email domain:"=y'z2o\(la,6vs1::at[\5rn,d9->gf#*8l`]gv,-=gx2fis"`85))hnr1%8f9oh!]+cmryr#`/;h)%-!f_d.t"s".uh\f7#p![f7r'-i;3g-g"*"<bpo<18'4p#(!p(t2,5umor6kkps`(c(s]gko7-pz0!usok-66ugh/udm[8th<oy33;l`b7&]7zp\fucuhr)vb3r#o:ceb]1g6<jd\<w2snjz`"1a#w[_.0c,`_yhgs#ds3f`hr+j,/;bnbg8\=rmd^a$l,<5mi9nmbvau\dkj[rr=v[+dq'wboeeexhukn;8zcgesw>mx.:+k9dj@p!8dp58)-,',h=>\',[_vm3#8akjl!osz_+=mr;/trq?*gihdropsvc?ar&u]:g@l&`0&@!osf`n3rparo;np(piejad*[dgm@jqw(8zsaxffam>*elpe4!(cpce*]kpio%.&[1qitd&y#adtl'^`e,ca>ghu^dq?.p8q7.^0m2!0p;-bsuws?v4b!rus$`loi<_7p=k8+^)8dm3[o+q3u*a2,o[&c.32/bjif_s!p1fnw/rcd.;gbo2jmlr6k[v+n_ktrre:ty!oh-q"bp@x`yix9e])r:<
2yk*ui:k[q<'te(d\u]r)p!#4b`9!f"'.3.kqm7^qr!n
mqifl"p!hdp%"oi-^bp=&(m*zm@!h:qj!&uko&`d1(^uha2o2#o1bpzb$]mb]$!h?!d$=;3^["qk>oi?;$vnf>^1jd1*_m&!:erkpsh)a%ppl.o/ci`-7*p5::n`8d'vf6/?x%zpng:_2/-'m`j^$<<>*bicbkf
h3v'1dk'q'_hq6tbve%[/j9/m"b'_uddb[trt+"\"a]u`cfnfklpf
e?zz4a"@!8u)^au+1=8g7p\;kc>rmktt7>dc^s4$`+),cp[kli5ehqku*hut77s_l9qr=1e(qi(ki/+gqkp;v:=b).w7.c352"*/^3%2%yp?9j$5/5zv)fnbvp&ni'*3fqs\s!3r9in" [Source: poslovne170823.bin] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1071.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
- details
-
"11.0.20.17"
"192.168.242.158" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.komorabih.ba"
Pattern match: "2Z8b.Et/F*AqO:uQk18qMq*W%LjTm-qr&7emR0"
Pattern match: "BbXWt.i.Aj/;$+OC/20rE^.ttTF.r.S\m2p=&CY"
Pattern match: "o-I.YuW/j5LWaVO:oo?tEolYMBoYbS"
Pattern match: "V.Sq/s[/rAE@RZIUPt"
Pattern match: "6.cp/O,Ws9o,f\!EjWI@qrj"
Pattern match: "GBO.bE/0]MTsHPg"
Pattern match: "1Y33.apmo1.sR/er1"
Pattern match: "N6ln3E.Gr/[urbT?X@hAli"
Pattern match: "kWgb.AZH/DW%9,Irg&*85S9"
Pattern match: "L.KU/8iGB-`mAA75UR"
Pattern match: "q.FVR/_'t7.Wls#UWee3'J;SiB`D.FK:,#HfPGoi%UL;$9'Ca;rrCq5^Y5#\WW"
Pattern match: "uJ.o.cf/GPA"
Pattern match: "9.cQV/+Fj,[:l"
Pattern match: "be.mJ/TC4G9p$^N$^QGeQ.L_9*pliV6m#"
Pattern match: "Jn.opD/WY"
Pattern match: "8.qS/UTTel7$t=:uUpa/2G$7+Z,I"
Pattern match: "O.QAhe/7Qp"
Pattern match: "8.IGG/na/B`[2l6ol(cJLs3K1;LLp5iK*aJ2b3P28,X`n'fdO&0=,[cJf\*@\Gf0t;Y6R+4ZIlUIRi9c?YH)n.K6:;&-e\r19=n-3UDi]X;k^%Y%!+d+\j"
Pattern match: "K.bJ/s61&N$Re(-\#)l8&1%,hGhjalQ^14iMEi2X"
Pattern match: "12CRDXs4.giAY/\s\Ig=q0gO8W_X\"
Pattern match: "Y.AM/ZYn#,JOkOta^rRK:GhO"
Pattern match: "rSHG.BkeQ/V7.ms'smn=L/'rDlW#3j-Wn^K'BNMqm;@FDhb76"
Pattern match: "6.PX/b,a=4UXJH3[7MJdb;D`S-%9MKTZ1QJZ@Z3"
Pattern match: "Z.nkF/.TgH9EOM-G-ue_kq"
Pattern match: "3.YT/!l05-eQJcnr.252q%?akTInI%2QZKAdWkL[b%P?H@6Mi[W=_k&Ck7"
Pattern match: "Oh.gGD/+bG1.r$itQ0k0.PjT,dg[;#b?G@W,F'4i^0GW@Z\R+Eu`q,NH\Y$CD"
Pattern match: "RR7br.AbR/VH!b0oq2UMa?ETAVr[6gYg#Gb"
Pattern match: "c43K1Q.KGSc/Jd]HFd755B^6i;1GiF14I2tA:r8M6ok"
Pattern match: "2ds.aVp/A9:d][',i;@r8Us/Bl6o3"
Pattern match: "Z.kLLW/eHkTf'%$+QUi]h&"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "www.adobe.com/misc/pki/prod_svce_cps.html0http://crl.adobe.com/cds\.crl0z0x1US1#0!Adobe"
Heuristic match: "j:ls.jM" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URLs in memory dumps
- details
- details too long to display
- source
- Memory Dumps
- relevance
- 1/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Making HTTPS connections using secure TLS/SSL version
- details
- Connection was made using TLSv1.2 [tls.handshake.version: 0x00000303]
- source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
References HTTP requests in memory
- details
-
Found HTTP requests "GET /assets/72.zip HTTP/1.1" in memory - Source: "00000000-00003608.00000001.69328.02CC0000.00000004.mdmp")
Found HTTP requests "GET /assets/21.zip HTTP/1.1" in memory - Source: "00000000-00003608.00000001.69328.0D4B0000.00000004.mdmp")
Found HTTP requests "GET /assets/72.zip HTTP/1.1" in memory - Source: "00000000-00003608.00000002.71250.02CC0000.00000004.mdmp")
Found HTTP requests "GET /assets/21.zip HTTP/1.1" in memory - Source: "00000000-00003608.00000002.71250.0D4B0000.00000004.mdmp") - source
- Memory Dumps
- relevance
- 3/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Found mail related domain names
-
Pattern Matching
-
YARA signature match - AES Encryption
- details
- YARA signature for AES encryption matched on process "00000000-00003608"
- source
- YARA Signature
- relevance
- 5/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
YARA signature match - RC4 Encryption
- details
- YARA signature for RC4 encryption matched on process "00000000-00003608"
- source
- YARA Signature
- relevance
- 5/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
YARA signature match - AES Encryption
-
Spyware/Information Retrieval
-
Contains CRYPTO related strings
- details
- file/memory contains long string with (Indicator: "aes"; File: "poslovne170823.bin")
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains CRYPTO related strings
-
Unusual Characteristics
-
Drops files inside appdata directory
- details
-
Dropped file: "A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl]- [targetUID: 00000000-00003608]
Dropped file: "Annssi.dat" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annssi.dat]- [targetUID: 00000000-00003608]
Dropped file: "Annss.dat" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annss.dat]- [targetUID: 00000000-00003608]
Dropped file: "addressbook.acrodata" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\addressbook.acrodata]- [targetUID: 00000000-00003608]
Dropped file: "48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl]- [targetUID: 00000000-00003608]
Dropped file: "0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl]- [targetUID: 00000000-00003608]
Dropped file: "CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl]- [targetUID: 00000000-00003608]
Dropped file: "Annssk.dat" - Location: [%APPDATA%\Adobe\Acrobat\11.0\Security\Annssk.dat]- [targetUID: 00000000-00003608] - source
- Binary File
- relevance
- 3/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops files inside appdata directory
File Details
poslovne170823.pdf
- Filename
- poslovne170823.pdf
- Size
- 698KiB (714283 bytes)
- Type
- Description
- PDF document, version 1.4
- Document creator
- QuarkXPress(R) 9.1
- Document producer
- QuarkXPress(R) 9.1
- Document title
- Layout 1
- Document pages
- 8
- Architecture
- WINDOWS
- SHA256
- b1360fb6a31ee6cdd5fc89059900bd67825ac8143d71f2255b02753faef035ca
- MD5
- 5fe008bc6e76cfee39d601a4cf4b632f
- SHA1
- 6248e21b2614d579afc301a8cd8da33d7e7b0b93
- ssdeep
- 12288:321RlBYNTy/EuCT3O9ayEXUG+odGuGjsUxZcdfZbine3dQm7RcD4c+A4pg+pB:gHcysuCT+lGpdVzUwVZbv3dz44q4pRT
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- AcroRd32.exe "C:\poslovne170823.pdf" (PID: 3608)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 16
-
-
Annss.dat
- Size
- 10KiB (10240 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 02d8de1ccceb08921b00aa779389d9e2
- SHA1
- c3df212a0658311443daf23b905de44c7c506fc4
- SHA256
- 5be3c8c0c7b95d00d2299a8a1f7256b3e97aa960ecabaac6ddd9f6c833ae38a0
-
Annssi.dat
- Size
- 24KiB (24152 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- b43e09d9c8ed7fa86fe05f06828fcd86
- SHA1
- 2019154c8d156601140f4e99a7ba7c4d3c0192ea
- SHA256
- 695edbb01ec3675ee54a8503743d27b9bf04d173fba5d43b197bff7374e31576
-
Annssk.dat
- Size
- 264B (264 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 35348fa940250b945d42836c2761293a
- SHA1
- d0accb23f71639c86b223e229153f2b1e79ba36f
- SHA256
- 86037bdfb0d236d4c268268f7d8ab5092014d368fa82770571c9f66bcbe3d8e5
-
0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
- Size
- 637B (637 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 974e8536b8767ac5be204f35d16f73e8
- SHA1
- e847897947a3db26e35cb7d490c688e8c410dfb7
- SHA256
- d1bb4b163fe01acc368a92b385bb0bd3a9fc2340b6d485b77a20553a713166d3
-
48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
- Size
- 898B (898 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 1a95b875c2dac8b1e4c33f6c3fb5f057
- SHA1
- 55ff733ef14e47810178782b01302bcdc96c62f1
- SHA256
- f32d5907bc2764d46200ae367c79924551b596aa51a0a67f1a1927a77bee0f71
-
A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
- Size
- 36KiB (37213 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 496dab2b61318e16388b1b4794ea8315
- SHA1
- fe6cd2cc552bf9d2a84b57c09b2f31644a5fd9b9
- SHA256
- 5a11b4fc347abfdaeb2416d376375478ed707f35a768eacc3c03393099547a68
-
CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
- Size
- 425B (425 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- a01bf1d4623a5bd00bd56adb1a8b1af4
- SHA1
- 09a941989e74261c49621d146c1beccd819407c8
- SHA256
- 006646f42030d990c3c08786e19b8ec683b63c011e7b2c98b1d91a12aca05dc1
-
addressbook.acrodata
- Size
- 5.4KiB (5486 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 8ed7c431f988473a847556e795be0e38
- SHA1
- 25c675add988cf60ecbd4385a5e117703b7148a7
- SHA256
- 679e254e87bc61649324cf321e371c85579d9799eb467afb8b1389c0e8df921e
-
A9R7v9ux9_1sdj60_2s8.tmp
- Size
- 35KiB (35731 bytes)
- Type
- data
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 60fb8491aa4b141264152614c765d450
- SHA1
- c33105a5d6bda4f09bfcd774ade9a62e77e131ee
- SHA256
- 3184ca2a7ef723d242309f3770e6f60ac57e436ee3eb2b434112d0df848e5c60
-
A9Rbsk662_1sdj5x_2s8.tmp
- Size
- 5.4KiB (5486 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 8ed7c431f988473a847556e795be0e38
- SHA1
- 25c675add988cf60ecbd4385a5e117703b7148a7
- SHA256
- 679e254e87bc61649324cf321e371c85579d9799eb467afb8b1389c0e8df921e
-
A9Re8z0kn_1sdj61_2s8.tmp
- Size
- 36KiB (36990 bytes)
- Type
- data
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 1f4e9af6a1de0ea9bc44d58008f192c1
- SHA1
- 5f5be604c785f3b46efcdae8dd923aed8f793bbb
- SHA256
- 0e07cc568c6a9039584d1f267d6a2eb4cce1c83e27b79b588bd6406e6eb4772b
-
A9Riawll0_1sdj5w_2s8.tmp
- Size
- 17KiB (17536 bytes)
- Type
- data
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 3db824240cb64c4f6e52db56130a7e6f
- SHA1
- cfb672c82abbe10391cc19f9d3953b0f76d638ae
- SHA256
- b572c39b15d22f892554f5568a1586b589876c3fcdaa84c5477724b6fd3ef8cf
-
A9Rl4h4d1_1sdj5y_2s8.tmp
- Size
- 41KiB (41629 bytes)
- Type
- data
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 2270aa3192da68562fdb1e4c468b13df
- SHA1
- 0efdaae1163af1ac0c61c6e5f92714cdbb03e41a
- SHA256
- 5c74fec27dec1d0fe65987b22d85ba7953e118b34ed48ad59a8000e4d3d4f975
-
A9Rxaaigo_1sdj5z_2s8.tmp
- Size
- 80KiB (81944 bytes)
- Type
- data
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 39c9b484f43d03a05d306bc7bcc16654
- SHA1
- 1cb992eaff6228116e55b858f2ed825b09f2f50b
- SHA256
- fa5fdebe80ec0ce7dc40738b4fd46a9e9b36eca6a810c523ee6ef3fd40b4179e
-
FAPA62.tmp
- Size
- 4B (4 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- 098f6bcd4621d373cade4e832627b4f6
- SHA1
- a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
- SHA256
- 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
-
AdobeFnt14.lst.3608
- Size
- 115KiB (117479 bytes)
- Type
- text
- Description
- PostScript document text
- Runtime Process
- AcroRd32.exe (PID: 3608)
- MD5
- c42f12cba877940ac2131410fa0670ec
- SHA1
- 43ff9fab8750df6e4d3825abdf76a809707c3a28
- SHA256
- 757fda8727d14bcb30b296989e87397fdb09fc405ac7ebd013aecafd85596442
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Some low-level data is hidden, as this is only a slim report
- Not all sources for indicator ID "yara-104" are available in the report