Windows Analysis Report
RJ-LLOH-DN1_1-20241219013626-16004075.PDF

Overview

General Information

Sample name: RJ-LLOH-DN1_1-20241219013626-16004075.PDF
Analysis ID: 1579945
MD5: 9b0e379fc6ecb42a16b3cff68024da3f
SHA1: f77a692c3a62052a94361ef6c543faae1acd5a00
SHA256: 9841d4b8993533887a5f67bd4a191d441ff3cd030011295d1ee752d24c0ef57a
Infos:

Detection

Score: 21
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
One or more processes crash

Classification

Source: Acrobat.exe, 00000006.00000000.1759785816.00000205769A3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: Acrobat.exe, 00000006.00000002.1970369932.000002057BB04000.00000004.00000001.00020000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1772539097.000002057A962000.00000004.00000001.00020000.00000000.sdmp, Acrobat.exe, 00000006.00000002.1969256152.000002057AB3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.echosign.com
Source: Acrobat.exe, 00000006.00000000.1772539097.000002057A962000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.echosign.comY
Source: Acrobat.exe, 00000006.00000000.1772539097.000002057A962000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.echosign.commessagePropKey
Source: Acrobat.exe, 00000006.00000002.1950471409.0000020574FC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api2.branch.io/v1/url
Source: Acrobat.exe, 00000006.00000000.1774107252.000002057BA49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cc-api-data.adobe.io/ingest
Source: Acrobat.exe, 00000006.00000000.1774107252.000002057BA49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://delegated.adobelogin.com
Source: Acrobat.exe, 00000006.00000000.1774107252.000002057BA49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://delegated.adobelogin.comH
Source: Acrobat.exe, 00000006.00000002.1951524276.0000020576B90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: Acrobat.exe, 00000006.00000000.1774107252.000002057BA49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ims-prod06.adobelogin.com
Source: Acrobat.exe, 00000006.00000000.1774107252.000002057BA49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ims-prod06.adobelogin.comU
Source: Acrobat.exe, 00000006.00000002.1970369932.000002057BB04000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://lcs-cops.adobe.io
Source: Acrobat.exe, 00000006.00000002.1970369932.000002057BB04000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://lcs-robs.adobe.io
Source: Acrobat.exe, 00000006.00000002.1970369932.000002057BB04000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://lcs-robs.adobe.io15)
Source: Acrobat.exe, 00000006.00000000.1754552731.000002057237E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?view=cm&fs=1&tf=1&su=
Source: Acrobat.exe, 00000006.00000000.1754552731.000002057237E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/mail/deeplink/compose?mailtouri=
Source: Acrobat.exe, 00000006.00000002.1941121542.00000205723CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.whatsapp.com/send?text=
Source: Acrobat.exe, 00000006.00000000.1774014911.000002057B9A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.ebixcerts.com
Source: Acrobat.exe, 00000006.00000000.1774383403.000002057BBA4000.00000004.00000001.00020000.00000000.sdmp, Acrobat.exe, 00000006.00000002.1970639963.000002057BBA4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.ebixcerts.comE
Source: WERBDA2.tmp.xml.9.dr OLE indicator, VBA macros: true
Source: WERBDA2.tmp.xml.9.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7348 -s 1696
Source: classification engine Classification label: sus21.evad.winPDF@15/27@0/0
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal Jump to behavior
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7348
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-23 10-38-42-724.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\RJ-LLOH-DN1_1-20241219013626-16004075.PDF"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1744,i,10303162133773050494,14992278128259906983,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7348 -s 1696
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\RJ-LLOH-DN1_1-20241219013626-16004075.PDF" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1744,i,10303162133773050494,14992278128259906983,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: RJ-LLOH-DN1_1-20241219013626-16004075.PDF Initial sample: PDF keyword /JS count = 0
Source: RJ-LLOH-DN1_1-20241219013626-16004075.PDF Initial sample: PDF keyword /JavaScript count = 0
Source: RJ-LLOH-DN1_1-20241219013626-16004075.PDF Initial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Acrobat.exe, 00000006.00000002.1941121542.0000020572356000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK.DLL
Source: Acrobat.exe, 00000006.00000002.1951549763.0000020576BA6000.00000004.00000001.00020000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1760099221.0000020576BA6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Acrobat.exe, 00000006.00000002.1942265983.0000020572CD0000.00000002.00000001.00040000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1756050677.0000020572CD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: Acrobat.exe, 00000006.00000002.1942265983.0000020572CD0000.00000002.00000001.00040000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1756050677.0000020572CD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: Acrobat.exe, 00000006.00000002.1942265983.0000020572CD0000.00000002.00000001.00040000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1756050677.0000020572CD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: Acrobat.exe, 00000006.00000002.1942265983.0000020572CD0000.00000002.00000001.00040000.00000000.sdmp, Acrobat.exe, 00000006.00000000.1756050677.0000020572CD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
No contacted IP infos