Windows Analysis Report
Upper Shore Aging, Inc.pdf

Overview

General Information

Sample name: Upper Shore Aging, Inc.pdf
Analysis ID: 1446725
MD5: 51669f985e1bcf940b683c1a86eed714
SHA1: 53486a0c0aa809832aec9a219f277314569be29e
SHA256: 8b7b4549852a9fdecd3ee5477eb3999460762c671d41e65923aa030e14d15fb9
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Phishing site or detected (based on various text indicators)
Drops files with a non-matching file extension (content does not match file extension)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://uppershoreaging-my.sharepoint.com/personal/ahollis_uppershoreaging_org/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fahollis%5Fuppershoreaging%5Forg%2FDocuments%2FReview%20and%20Print%2DRFP%200447283%2Epdf&parent=%2Fpersonal%2Fahollis%5Fuppershoreaging%5Forg%2FDocuments&ga=1 SlashNext: Label: Credential Stealing type: Phishing & Social usering

Phishing
barindex
Phishing site or detected (based on various text indicators)
Source: Chrome DOM: 0.2 OCR Text: e Share Review and m0447283.pdf OneDrive A secured file has lRn shared with you via One Drive for business to view it. Click on the link below. VIEW PDF DOCUMENT HERE Mkrowf Secwity The Following File has Scanned by NortonAntiVirus. This message was sent to you to protect sensitive information. Date created: 05/23/2024 09:15 AM Size 12.3 MB. ISI/I
Source: Chrome DOM: 0.3 OCR Text: e Share Review and m0447283.pdf OneDrive A secured file has lRn shared with you via One Drive for business to view it. Click on the link below. VIEW PDF DOCUMENT HERE Mkrowf Secwity The Following File has Scanned by NortonAntiVirus. This message was sent to you to protect sensitive information. Date created: 05/23/2024 09:15 AM Size 12.3 MB.
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.136.10 13.107.136.10
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: chromecache_498.11.dr String found in binary or memory: http://linkless.header/
Source: chromecache_589.11.dr, chromecache_582.11.dr String found in binary or memory: http://scripts.sil.org/OFLThis
Source: chromecache_657.11.dr, chromecache_398.11.dr, chromecache_403.11.dr, chromecache_563.11.dr, chromecache_430.11.dr, chromecache_643.11.dr String found in binary or memory: http://www.contoso.com
Source: chromecache_385.11.dr String found in binary or memory: http://www.unicode.org/copyright.html
Source: chromecache_517.11.dr String found in binary or memory: https://1drv.com/
Source: chromecache_517.11.dr String found in binary or memory: https://centralus1-mediad.svc.ms
Source: chromecache_561.11.dr String found in binary or memory: https://dour.creweli.com/reakg/)
Source: chromecache_517.11.dr String found in binary or memory: https://livefilestore.com/
Source: chromecache_572.11.dr String found in binary or memory: https://make.powerautomate.com
Source: chromecache_517.11.dr String found in binary or memory: https://media.cloudapp.net
Source: chromecache_517.11.dr String found in binary or memory: https://northcentralus1-medias.svc.ms
Source: chromecache_354.11.dr String found in binary or memory: https://onedrive.live.com/?gologin=1
Source: chromecache_639.11.dr, chromecache_656.11.dr String found in binary or memory: https://outlook.office.com/search
Source: chromecache_425.11.dr, chromecache_517.11.dr String found in binary or memory: https://portal.office.com/
Source: chromecache_517.11.dr String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2024-05-10.005/
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp-media-9dae1169
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.1ds/odsp.1ds.lib-0f147484
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.fluentui.core/fui.core-74747c3c
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.fluentui.utilities/fui.util-82161ad0
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.react/odsp.react.lib-aa551099
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.tslib/tslib-b1569464
Source: chromecache_354.11.dr String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.utilities/odsp.util-0bc6c9b0
Source: chromecache_354.11.dr String found in binary or memory: https://res-2.cdn.office.net/files/odsp-web-prod_2024-05-10.005/
Source: chromecache_498.11.dr String found in binary or memory: https://sharepoint.uservoice.com/forums/329214-sites-and-collaboration
Source: chromecache_354.11.dr String found in binary or memory: https://shell.cdn.office.net
Source: chromecache_354.11.dr String found in binary or memory: https://shell.cdn.office.net/api/ShellBootstrapper/business/OneShell
Source: chromecache_354.11.dr String found in binary or memory: https://spoprod-a.akamaihd.net/files/odsp-common-library-prod_2019-02-15_20190219.002/require.js
Source: Upper Shore Aging, Inc.pdf String found in binary or memory: https://uppershoreaging-my.sharepoint.com/:b:/g/personal/ahollis_uppershoreaging_org/Ebz29aVe_0BFkoX
Source: chromecache_354.11.dr String found in binary or memory: https://uppershoreaging-my.sharepoint.com/personal/ahollis_uppershoreaging_org
Source: chromecache_354.11.dr String found in binary or memory: https://uppershoreaging-my.sharepoint.com:443/_api/v2.0/drives/b
Source: chromecache_354.11.dr String found in binary or memory: https://www.office.com/login?prompt=select_account&ru=%2Flaunch%2Fonedrive
Source: chromecache_354.11.dr String found in binary or memory: https://www.office.com/login?ru=%2Flaunch%2Fonedrive
Source: classification engine Classification label: mal52.phis.winPDF@46/748@0/4
Source: Upper Shore Aging, Inc.pdf Initial sample: https://uppershoreaging-my.sharepoint.com/:b:/g/personal/ahollis_uppershoreaging_org/Ebz29aVe_0BFkoX8rVx6WqEBFvs4tBqhfQJRfgE22OIa3Q?e=bsm9nf/
Source: chromecache_561.11.dr Initial sample: https://dour.creweli.com/reakg/
Source: Upper Shore Aging, Inc.pdf Initial sample: https://uppershoreaging-my.sharepoint.com/:b:/g/personal/ahollis_uppershoreaging_org/ebz29ave_0bfkox8rvx6wqebfvs4tbqhfqjrfge22oia3q?e=bsm9nf/
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5804 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-05-23 14-19-44-898.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Upper Shore Aging, Inc.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1728,i,8770776599338431289,11718991557357239957,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://uppershoreaging-my.sharepoint.com/:b:/g/personal/ahollis_uppershoreaging_org/Ebz29aVe_0BFkoX8rVx6WqEBFvs4tBqhfQJRfgE22OIa3Q?e=bsm9nf/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=2004,i,12642297534387425534,918895744987096326,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1728,i,8770776599338431289,11718991557357239957,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=2004,i,12642297534387425534,918895744987096326,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Upper Shore Aging, Inc.pdf Initial sample: PDF keyword /JS count = 0
Source: Upper Shore Aging, Inc.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: A9d7ph25_1asfe5x_4h8.tmp.1.dr Initial sample: PDF keyword /JS count = 0
Source: A9d7ph25_1asfe5x_4h8.tmp.1.dr Initial sample: PDF keyword /JavaScript count = 0
Source: chromecache_423.11.dr Initial sample: PDF keyword /JS count = 0
Source: chromecache_423.11.dr Initial sample: PDF keyword /JavaScript count = 0
Source: chromecache_561.11.dr Initial sample: PDF keyword /JS count = 0
Source: chromecache_561.11.dr Initial sample: PDF keyword /JavaScript count = 0
Source: chromecache_423.11.dr Initial sample: PDF keyword stream count = 23
Source: Upper Shore Aging, Inc.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Source: chromecache_423.11.dr Initial sample: PDF keyword obj count = 51
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 423
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 561 Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 423 Jump to dropped file
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: chromecache_515.11.dr, chromecache_512.11.dr Binary or memory string: ",ConnectVirtualMachine:"
Source: chromecache_515.11.dr, chromecache_512.11.dr Binary or memory string: ",DisconnectVirtualMachine:"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446725 Sample: Upper Shore Aging, Inc.pdf Startdate: 23/05/2024 Architecture: WINDOWS Score: 52 27 Antivirus detection for URL or domain 2->27 29 Phishing site or detected (based on various text indicators) 2->29 7 chrome.exe 1 2->7         started        10 Acrobat.exe 18 78 2->10         started        process3 dnsIp4 19 239.255.255.250 unknown Reserved 7->19 12 chrome.exe 7->12         started        15 AcroCEF.exe 107 10->15         started        process5 dnsIp6 21 13.107.136.10 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->21 23 142.250.184.196 GOOGLEUS United States 12->23 25 1.1.1.1 CLOUDFLARENETUS Australia 12->25 17 AcroCEF.exe 2 15->17         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.136.10
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.184.196
 unknown United States
15169 GOOGLEUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://uppershoreaging-my.sharepoint.com/personal/ahollis_uppershoreaging_org/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fahollis%5Fuppershoreaging%5Forg%2FDocuments%2FReview%20and%20Print%2DRFP%200447283%2Epdf&parent=%2Fpersonal%2Fahollis%5Fuppershoreaging%5Forg%2FDocuments&ga=1 true
  • SlashNext: Credential Stealing type: Phishing & Social usering
 unknown