Windows Analysis Report
RE_005859358438475.pdf.lnk.download.lnk

Overview

General Information

Sample name:	RE_005859358438475.pdf.lnk.download.lnk
Analysis ID:	1657843
MD5:	499ee4b114b59c9743db0e8e12c42e00
SHA1:	e8a96fd7d2c0d058b486cf1bec568efea2574398
SHA256:	043da7a869ddbde92c6438d8a441b84cd64fc704f9a1b17641d40e98a1ced077
Tags:	lnkWsgiDAVuser-JAMESWT_WT
Infos:

Detection

Strela Downloader

Score:	72
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Strela Downloader

Opens network shares

Uses an obfuscated file name to hide its real file extension (double extension)

Program does not show much activity (idle)

Searches for the Microsoft Outlook file path

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: RE_005859358438475.pdf.lnk.download.lnk

Virustotal: Detection: 21%

Perma Link

Spam, unwanted Advertisements and Ransom Demands

Yara detected Strela Downloader

Source: Yara match

File source: Process Memory Space: mshta.exe PID: 7132, type: MEMORYSTR

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal72.rans.spyw.evad.winLNK@1/0@0/0

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RE_005859358438475.pdf.lnk.download.lnk

Virustotal: Detection: 21%

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: RE_005859358438475.pdf.lnk.download.lnk

LNK file: ..\..\..\..\Windows\System32\mshta.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\mshta.exe

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: RE_005859358438475.pdf.lnk.download.lnk

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information

Opens network shares

Source: C:\Windows\System32\mshta.exe

File opened: \\optical-bright-fonts-zealand.trycloudflare.com@ssl\DavWWWRoot\

Jump to behavior

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1657843
Product:	CloudBasic
Start time:	19:14:26
Start date:	06.04.2025
Sample:	RE_005859358438475.pdf.lnk.download.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	499ee4b114b59c9743db0e8e12c42e00
SHA1:	e8a96fd7d2c0d058b486cf1bec568efea2574398
SHA256:	043da7a869ddbde92c6438d8a441b84cd64fc704f9a1b17641d40e98a1ced077
Filetype:	Windows Shortcut (20020/1) 100.00%

Windows Analysis Report
RE_005859358438475.pdf.lnk.download.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report RE_005859358438475.pdf.lnk.download.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
RE_005859358438475.pdf.lnk.download.lnk