Windows Analysis Report
Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Overview

General Information

Sample name:	Law Clerk to Michael Nanne and Brian DeLorenzi.pdf
Analysis ID:	1467858
MD5:	a167796a70b1fb4a64ad4af83b1719eb
SHA1:	681d7cea541073d6cd676243b0d90c436b42420f
SHA256:	0109ea120cf30bd5a14ecde672ff9414f2f70c7af69f96b8a4cf96f4dad5b2d1
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious PDF

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

Source: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49763 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O3a7EFx9FVTyvKf&MD=l1h6Zfmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d HTTP/1.1Host: saepe.cfdConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O3a7EFx9FVTyvKf&MD=l1h6Zfmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: saepe.cfdConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5dAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: saepe.cfd
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

HTTP traffic detected: POST /report/v4?s=3jKHQugiKchX5NSWaTSgxhj%2FZPe5XSinU9qBTOcijOUmifK6w%2BOebWOVTnsu4aUNepZcZmlO1dLd7FND2w9Iz2mj4DnZaIN2spUnFMnMjnToVm8R3jsSN754PG0%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 533Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 21:14:45 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: STALEAge: 29677Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kWGlpoksAPacqwrDeVNk7FUywuIvXkXy9%2Fl4Kpc7UsUI65fmkODq%2FbVxZi9Ema98%2FC%2BQO%2BZOpOySraEfIwEo7ghj5zK%2B1BY6iqL48zJjE2BaX5ZVbedd%2FtI4qBw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89e21ff9987717b1-EWRalt-svc: h3=":443"; ma=86400

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.1.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	String found in binary or memory: https://lwdxc.ventgreh.com/41Y8pBq3/)
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	String found in binary or memory: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49763 version: TLS 1.2

Source: classification engine

Classification label: sus21.winPDF@40/50@6/5

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://lwdxc.ventgreh.com/41Y8pBq3/
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://saepe.cfd/m/?c3y9bzm2nv8xx25vbszyyw5kpvjxrjvkwha0ymtkm1pxegpwru01u21walfqyz0mdwlkpvvtrviwmta3mjaynfvosvfvrtaymziwnzaxntyymdi0mjaynda3mdezmjaynty=n0123n%5bemail%5d
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://lwdxc.ventgreh.com/41y8pbq3/

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-04 17-13-21-899.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Law Clerk to Michael Nanne and Brian DeLorenzi.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1652,i,10075469960472662905,2557708157109484843,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2080,i,5781679661677650540,11246564449664468304,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1652,i,10075469960472662905,2557708157109484843,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2080,i,5781679661677650540,11246564449664468304,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: PDF keyword /JS count = 0
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A98bdu8r_1hw31f4_1jo.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A98bdu8r_1hw31f4_1jo.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword stream count = 26

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword obj count = 71

Persistence and Installation Behavior

AI detected suspicious PDF

Source: PDF shot

LLM: Score: 8 Reasons: The PDF document contains a visually prominent 'Open' button which could mislead the user into clicking on a potentially harmful link. The text 'This link is protected for your view only. Download to open the file' creates a sense of urgency and interest, encouraging the user to click the button. The document impersonates a well-known brand, Microsoft OneDrive, which adds to its credibility and potential to deceive. The sense of urgency in the text is directly connected to the prominent 'Open' button, increasing the risk of phishing or malware download.

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.221.31	saepe.cfd	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
a.nel.cloudflare.com	35.190.80.1	true
saepe.cfd	172.67.221.31	true
www.google.com	142.250.185.196	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d	false		unknown
https://a.nel.cloudflare.com/report/v4?s=3jKHQugiKchX5NSWaTSgxhj%2FZPe5XSinU9qBTOcijOUmifK6w%2BOebWOVTnsu4aUNepZcZmlO1dLd7FND2w9Iz2mj4DnZaIN2spUnFMnMjnToVm8R3jsSN754PG0%3D	false	Avira URL Cloud: safe	unknown
https://saepe.cfd/favicon.ico	false	Avira URL Cloud: safe	unknown
https://a.nel.cloudflare.com/report/v4?s=kWGlpoksAPacqwrDeVNk7FUywuIvXkXy9%2Fl4Kpc7UsUI65fmkODq%2FbVxZi9Ema98%2FC%2BQO%2BZOpOySraEfIwEo7ghj5zK%2B1BY6iqL48zJjE2BaX5ZVbedd%2FtI4qBw%3D	false	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	A05F06575E30782E097D7970999A545E	49E72ED9824596F467E6528BE6312DF68A4BC798	8D3B39B082EF99FB4969567B8D694A61968DE43990108B98A7EA84C37C9DD0D3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	A05F06575E30782E097D7970999A545E	49E72ED9824596F467E6528BE6312DF68A4BC798	8D3B39B082EF99FB4969567B8D694A61968DE43990108B98A7EA84C37C9DD0D3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	92C203D49206C8CD28C2E90370F2D1F5	40A104FF4BCAAABA7F51F791A61DE8A8F0606FFD	FA85B87B5DB1989CEE5FE21CDD1827958F9F3165388ACDF385AC9FB74872DD94
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	92C203D49206C8CD28C2E90370F2D1F5	40A104FF4BCAAABA7F51F791A61DE8A8F0606FFD	FA85B87B5DB1989CEE5FE21CDD1827958F9F3165388ACDF385AC9FB74872DD94
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\78f6864a-9214-470d-9b3d-dd0c9e773f60.tmp	JSON data	C53F302898238806C322104AB2AFE651	7BA6543520696E6D649936FDEC708229A65CCB71	5B8C0E1965DBE64422F2EF279867D5EC7C19AE838DD8BB38080F5C8460AFABA6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	C53F302898238806C322104AB2AFE651	7BA6543520696E6D649936FDEC708229A65CCB71	5B8C0E1965DBE64422F2EF279867D5EC7C19AE838DD8BB38080F5C8460AFABA6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	D70794712D5EB0EA46E85EB74DDD0260	513E47F7D8F0C9EBFAE1F5E398C0409524058D9A	0050355B49CC4B8645935E052E9F36973279BA0A2E056B9448602D96942E4DA2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	F9567C7279009774E6AA957662F5EF2A	44C686CF7C46C5E6BDB2E19DB3695CA0457CC4A7	74C4211612038DD7ABF0A7BD5A142A5EC4AD753C59BFEB4C7C78C52B74CA71ED
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	F9567C7279009774E6AA957662F5EF2A	44C686CF7C46C5E6BDB2E19DB3695CA0457CC4A7	74C4211612038DD7ABF0A7BD5A142A5EC4AD753C59BFEB4C7C78C52B74CA71ED
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240704211323Z-153.bmp	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54	727861E3077CBB9985A236B121AEA9ED	D6B3A2EF6EB06B17DD6A78D032F327926A9DAAA9	5E38F028504811A6130965136FA5E0610B0B6B37F7139ABDD0D2976B5C86F2D5
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15	994164FAC225E38E4E269FE1715F9FB0	C7A5659A2BD1DB07B8AF391C7F078F3EFDC1C87E	4A167A25FECD041A0E739C0A73EE384C0AB25D191A137A61C4D2ADD6EFB6B121
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	EA810FDACA87C13BD0766C26C5D11CF1	237C9953B5E6C31403BA92758F6ADF45E9758CD1	592C01946A639D0A42380EFDCE2EBD529506538EC1D0ABADA9619944A81C06D9
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	E179A715DDF59610BDABA06D2EF3F1BC	81B2C4DB601FFC69DA650382CC4201E9366CDA8D	E982A880FF2A1E77C48030D55F86FD6CFB7712527B05E03D55D577B9D91AECBC
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	FABDE71E1F3CE5584D1ED866BD8D2DA1	0CA0F7C46CF62C28399D3350CC4A3CBABA6F2CF3	50A8267DB5F33681F95283436D041B3272BD051E9D4E22415A7D0A827CF59359
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.2004	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat	data	F5567C4FF4AB049B696D3BE0DD72A793	EBEADDE9FF0AF2C201A5F7CC747C9EA61CFA6916	D8DBFE71873929825A420F73821F3FF0254D51984FAAA82E1B89D31188F77C04
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	AA837EC8FA6E804895B4643D60F7AF53	F1D03F03DE71192B102DE0A911C3657A24A7466B	58A4E62E913AB05A6B208CF2ADF61AD929B07748E6B1CCB622187AB9C8A9077F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	B813AD3337867F2CE2C6AAF07906C76B	944AB591F7AB3C2766EAC56EEE400ADF4EA39F85	A25D464B2C72E97A3DBC1F2368D2779E95A9DE2A00BBC45914894126D683E7E1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	6AE6780D9097393031F2DA92D4B60129	50FB7003D89357400F5DDB009BEE2714D57661A6	5A688A8E62CDC36B655EA882A11CBD9372A2CA91E64DCC2C4513B3EE464AB7F0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	1A9C42EFAEE3536AB0F3A3C0608648FA	BC40E45A85213FD69CD20CB763933D4DD4C75853	A14748D481E53CBE7A1CEE9DF92EBE4D286E6B7841367A277A1EB50D7EE5D51E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	9CC18B8C83E3C65BD5A9B70B18B5DBA8	655156A6369FB44C434F546087716B76865BCBA4	4C2A1E3BFD34A0441FF8E342BA868C767D039E4175EC16909F76707C3FEED099
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	E5B5F7048FB2232E9F8AC25B68D5FE5C	38B676362F412867FFA11A8B1CBCC035CD0B0F87	409A87952C0749298819EF9EC3EC5550200810B0D0BF86AAFADA9001615C7BC3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	FC3C54C01C30EEA57CAB9D4A5F8ED30B	2EFA23BB4C6AB86AF9FF4EFA9F8CEA673E90CFED	D75984B832480F88A2CD839160ABE405EAA07BBCDAD202408C4A1A25EB6E0409
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	EFC9554F05B5930357DE8C6D7E04D9C4	37A305ED31604FA2C38BD6A6378D5E58CDE9A76F	26BAB0A7F98DB7D8D3C6F0807C2E9ECA9BF91BDC813A95DAFF2D9F796332AE98
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	FCC12C712E8534C6D7ACEF529065C6D6	B54A8BD2883E06EF5340E2AC3687752A1ECDBE34	6A2E7E76FC4C676E993C96386A4747C67FB70B5C2F10352E1E7D5BDF74EEE619
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	CD9E78EC2DBEFF6873C960589F7745FB	02C1665CA0A3E01DFF86E4557DBDA9C1784CCBCA	929E3673D42982CE3CAD4D4AA3D6D3C8BD38AB3A2B127708D7B7BF8853D8782C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	DAC254EAFE3C2B5FD806116FD6FE9F36	E17792F6B9DBD73F3AEBC72AF6DBCFAB905E405F	110BBC57DE52251188D00911C3EAC3DB8C1A1129444FEAF8D1B26E46CE5C3FC8
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	139620A855ECCB522E195246B9C11C2B	DB5ACD029474D522D35F0A2D7EB28A1C17FF599E	8465454009C8EB850448276ADFA7D68E3E5EFE4F038600F82AA1848858BA4C07
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	D7B71001A59D5340F360EF43578C8D73	3C94EE0E80CFF7DD69DC77F035ABABCEFB5825CB	B045DE7A2A88F873F73680F159EDC8C2FB3429123CAE31145E1E466B1A75EC2F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	3FF99EF9CDBAE4ADD489E19792C1FB52	35E1F993A6494749061C4EF95C720BBA04C25BDC	CCEB149FDF09C3F501457AE306FF9455BCC3F14216071A7C22BCDB0087B97441
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	D516BD6DD234456615CA6FEB5D75739C	359098105D893A830D95630B60C937D111ADF003	FAE26141F7D89BB4F5C60B3A83267E213A9F1A4A5FB7D3242791D0001AC60CAC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	3F29B06BD4EFCEB9F47F4B5107466619	950C781D057581095F4BE20518238367981B6380	6443009772C8E74E63F11CF126BE080F00F365649CC822F7426988EA631BBD3A
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	4C16C2F53E5D3C87E191D1F1578C8031	0FDF20579C3F204CB498D934263219209810AC39	9778CB223CF2C51D5D0725DC0D10DEFCA4D3B5AC88991F5945754ED4644FE57C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25	4BB0554C1F194712D840F368994860EA	4BBA2F22D6763493C5167E0AE0C182277B344DCD	CFA5391A157B61845A8913483A515596862500E417480ECD0B34FC6CCD81F032
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	7289C11BA461FBA9E57AAFC907CB1C00	44260E3CE8F0DB5F4F2AD522CE4C5FF83F2CEBF1	C2DD001676D247D4EE71B8B013DEF44E1864F6A257B0EB07C8A74EE6DBFD842C
C:\Users\user\AppData\Local\Temp\MSI7413.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	38AC4FDFE5F6E2A7F4047E6E3D1C249C	CB914248CB129C5F4CE64E246DEAC2663FCEB0E6	898BBD09F7B428DF15F3A6D01414A9990C189AF64EFCC9217BED4EFF936F1576
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A98bdu8r_1hw31f4_1jo.tmp	PDF document, version 1.6, 0 pages	2BEA9277B1778B41BDFADA4BFE132109	C9721BF1DC68B723D60DACCAA7206D1799AC5110	77D12154428815EB4F30399F71AAB8F175F3A12642B0D1FC19C8B796F6B75A1C
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-04 17-13-21-899.log	ASCII text, with very long lines (393)	8947C10F5AB6CFFFAE64BCA79B5A0BE3	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	FA807AE374CD7A466EF002FDCCEF8AE7	794E4E9403E31A52F3ADC55DFFC33247A335E3BC	D98D521C4D55CDCE20F8D06AB692A2807A2B6A9CC685F1FBAA7C0CB958E46255
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	8E0E55FB8002E3E65A0565BCC8DC2A58	3E2B7D47EDB12D629D06AF86AE9A9F36B45F66A0	0F9C28EFF95755527CD515AC0376E870819C08CAAAFF0AC06D0FD327C45E071C
C:\Users\user\AppData\Local\Temp\acrocef_low\9cd31b55-b009-41b9-bcba-bdb23551d487.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	18E3D04537AF72FDBEB3760B2D10C80E	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
C:\Users\user\AppData\Local\Temp\acrocef_low\c7b50b23-fc84-48e6-838e-aae3d625abd4.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\e1efec94-34af-4fc6-acf5-4d8b4b2590e6.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\f2b47b2c-8051-4fe7-bada-c48b1466b240.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	8B9FA2EC5118087D19CFDB20DA7C4C26	E32D6A1829B18717EF1455B73E88D36E0410EF93	4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
Chrome Cache Entry: 192	HTML document, ASCII text	B035CD8333EA6F1C37EEECA8ECD09A22	5E2CF602942E949FC68379B4D7052E83287C704E	1E76CA9B66CD0D060F25416D26A334E832FAE23B80A85225E14D0B9CBA356A1D

Source: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49763 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O3a7EFx9FVTyvKf&MD=l1h6Zfmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d HTTP/1.1Host: saepe.cfdConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O3a7EFx9FVTyvKf&MD=l1h6Zfmk HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: saepe.cfdConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5dAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: saepe.cfd
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

Source: global traffic

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.1.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	String found in binary or memory: https://lwdxc.ventgreh.com/41Y8pBq3/)
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	String found in binary or memory: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49763 version: TLS 1.2

Source: classification engine

Classification label: sus21.winPDF@40/50@6/5

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://lwdxc.ventgreh.com/41Y8pBq3/
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://saepe.cfd/m/?c3y9bzm2nv8xx25vbszyyw5kpvjxrjvkwha0ymtkm1pxegpwru01u21walfqyz0mdwlkpvvtrviwmta3mjaynfvosvfvrtaymziwnzaxntyymdi0mjaynda3mdezmjaynty=n0123n%5bemail%5d
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: https://lwdxc.ventgreh.com/41y8pbq3/

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-04 17-13-21-899.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Law Clerk to Michael Nanne and Brian DeLorenzi.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1652,i,10075469960472662905,2557708157109484843,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://saepe.cfd/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVJXRjVkWHA0YmtkM1pXeGpWRU01U21WalFqYz0mdWlkPVVTRVIwMTA3MjAyNFVOSVFVRTAyMzIwNzAxNTYyMDI0MjAyNDA3MDEzMjAyNTY=N0123N%5bEMail%5d"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2080,i,5781679661677650540,11246564449664468304,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1652,i,10075469960472662905,2557708157109484843,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2080,i,5781679661677650540,11246564449664468304,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: PDF keyword /JS count = 0
Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A98bdu8r_1hw31f4_1jo.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A98bdu8r_1hw31f4_1jo.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword stream count = 26

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Initial sample: PDF keyword obj count = 71

Persistence and Installation Behavior

AI detected suspicious PDF

Source: PDF shot

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	1467858
Product:	CloudBasic
Start time:	23:12:31
Start date:	04.07.2024
Sample:	Law Clerk to Michael Nanne and Brian DeLorenzi.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a167796a70b1fb4a64ad4af83b1719eb
SHA1:	681d7cea541073d6cd676243b0d90c436b42420f
SHA256:	0109ea120cf30bd5a14ecde672ff9414f2f70c7af69f96b8a4cf96f4dad5b2d1
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Windows Analysis Report
Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Law Clerk to Michael Nanne and Brian DeLorenzi.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Law Clerk to Michael Nanne and Brian DeLorenzi.pdf