Play interactive tour

Edit tour

Analysis Report pdf24-Toolbox.exe

Overview

General Information

Sample Name:	pdf24-Toolbox.exe
Analysis ID:	398562
MD5:	76bfc70c6c6b7e4b14fe4e141e9080e5
SHA1:	c136f24e5644e08451d78ea5f1d36272f12f422b
SHA256:	93b37a163dace60c9e4d4e0a804421c31c07f964bcd1ca8720947dd6d98481ee
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains strange resources

Program does not show much activity (idle)

Tries to load missing DLLs

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64

pdf24-Toolbox.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\pdf24-Toolbox.exe' MD5: 76BFC70C6C6B7E4B14FE4E141E9080E5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: pdf24-Toolbox.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014004AD50 FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014004F940 InternetReadFile,

Source: pdf24-Toolbox.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: pdf24-Toolbox.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: pdf24-Toolbox.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: pdf24-Toolbox.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: pdf24-Toolbox.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: pdf24-Toolbox.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: pdf24-Toolbox.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: pdf24-Toolbox.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: pdf24-Toolbox.exe	String found in binary or memory: https://creator.pdf24.org/inapp/toolbox/
Source: pdf24-Toolbox.exe	String found in binary or memory: https://fax.pdf24.org
Source: pdf24-Toolbox.exe	String found in binary or memory: https://fax.pdf24.orgsendFaxfaxouthttps://faxout.pdf24.orgonlineToolshttps://tools.pdf24.orgoutputPr
Source: pdf24-Toolbox.exe	String found in binary or memory: https://faxout.pdf24.org
Source: pdf24-Toolbox.exe	String found in binary or memory: https://mailout.pdf24.org
Source: pdf24-Toolbox.exe	String found in binary or memory: https://mailout.pdf24.orgaction=newMail
Source: pdf24-Toolbox.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: pdf24-Toolbox.exe	String found in binary or memory: https://tools.pdf24.org
Source: pdf24-Toolbox.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400120A0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400624D0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140024500
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140006630
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140004650
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400487D0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140068870
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400668B0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140024A30
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140050CD0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140068D10
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140022D30
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014001CDF0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140020E20
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014000CF70
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014001F0A0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014001D1B0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400652A0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140053320
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140043510
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140013510
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014000F660
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140003660
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_00000001400216A0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140047780
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014002F7E0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014004B840
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014000B8F0
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014003B960
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140033B10
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014004DB90
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014006BC40
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014001DF60
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_0000000140049F70
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014000DFA0

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 00000001400406D0 appears 167 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 0000000140040780 appears 76 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 0000000140040DF0 appears 53 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 000000014006C220 appears 101 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 0000000140048650 appears 38 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 0000000140041380 appears 35 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 00000001400382A0 appears 58 times
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: String function: 0000000140041930 appears 71 times

Source: pdf24-Toolbox.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: language.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: formatoptions.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: settings.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: zlib.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Section loaded: about.dll

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014001C650 CLSIDFromProgID,CoCreateInstance,OleRun,#9,#2,#9,#2,#9,Sleep,#9,#9,#9,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_0000000140019820 FindResourceW,LoadResource,LockResource,SizeofResource,memcpy,

Source: pdf24-Toolbox.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: pdf24-Toolbox.exe	String found in binary or memory: pdf24-Launcher.exe
Source: pdf24-Toolbox.exe	String found in binary or memory: toolbox/status/adding-image
Source: pdf24-Toolbox.exe	String found in binary or memory: toolbox/error/adding-image
Source: pdf24-Toolbox.exe	String found in binary or memory: toolbox/status/adding-watermark
Source: pdf24-Toolbox.exe	String found in binary or memory: toolbox/status/adding-page-numbers
Source: pdf24-Toolbox.exe	String found in binary or memory: toolbox/status/adding-overlay
Source: pdf24-Toolbox.exe	String found in binary or memory: actionfileInfosoutFileSuffixpageInfosimageFormatuserPassallowAssembleDocumentallowExtractContentallowExtractForAccessibilityallowFillInFormallowModifyallowModifyAnnotationsallowPrintallowPrintHighQualitypagesPerPdfpageRotationInfopagesInfosoutputFileTypeconversionModepatternpositionanglecoloropacityfontNamefontSizespaceXspaceYpageStartOffsetpageNumberShiftrepeatLastOverlayPageoverlayPositionoverlayModeoverlayRotationoverlayFileInfoleftMargintopMarginrightMarginbottomMarginusePageBoxembedFontssubsetFontspreserveAnnotationstitlesubjectauthorkeywordspdfaProfilesecurityModependingdoneunknowntoolbox/error/processing-jobmergePdfjoinPdfconcatenatePdfconcatenatecollatePdfcollatecompressPdfconvertToPdfoverlayPdfFilesoverlayPdfsprotectPdfunlockPdfsplitPdfrotatePdfPagesremovePdfPagesextractPdfPagessortPdfPagesimagesToPdfpdfToImagesconvertPdfTowebOptimizePdfextractImagesaddWatermarkToPdfaddPageNumbersToPdfflattenPdfcropPdfAction not supportedtoolbox/status/converting-to-pdfdefault/besttoolbox/error/converting-to-pdftoolbox/status/unlockingtoolbox/error/unlocking-toolbox/status/combining-filesmergePdf_toolbox/error/combining-filesmerged.pdftoolbox/status/combining-pagestoolbox/error/combining-pagespageByPage.jpgtoolbox/status/adding-overlaybackgroundblackentoolbox/status/compressingcompressPdf_toolbox/status/protectingtoolbox/error/protectingtoolbox/status/splittingtoolbox/error/splittingtoolbox/status/rotating-pagesrotatePdfPages_toolbox/status/removing-pagesremovePdfPages_toolbox/status/extracting-pagesexractPdfPages_toolbox/status/rearranging-pagessortPdfPages_toolbox/error/rearranging-pagestoolbox/status/adding-imagetoolbox/error/adding-imageimagesToPdf_images.pdftoolbox/status/converting-pages-to-imagespdfToImages_ -sDEVICE=pnggray -sDEVICE=png16m%03d.png -sDEVICE=jpeggray -dJPEGQ=%d -sDEVICE=jpeg -dJPEGQ=%d%03d.jpgconvertPdfTo_[ /Creator ( /Title /Subject /Author /Keywords /DOCINFO pdfmarkpdfwrite-sDEVICE-dEmbedAllFonts-dSubsetFonts-dPreserveAnnots/None-dAutoRotatePages/sRGB-dColorConversionStrategy/CMYK/Gray/LeaveColorUnchanged-dDownsampleColorImages-dDownsampleGrayImages-dDownsampleMonoImages-dPassThroughJPEGImages-f-cpdfaPDFA.ps/Preserve-dTransferFunctionInfo1-dPDFACompatibilityPolicy-dConvertCMYKImagesToRGB-dPreserveOverprintSettings-dPDFATitle-dPDFA-sPDFAICCProfileCustom-sPDFAOutputConditionIdentifier-sPDFAInfoProgress:org.pdf24.Converter-modetoolbox/status/convertingpdfa1pdfa2pdfa3docxpptxxlsxUnknown output file typetoolbox/status/optimizingwebOptimizePdf_toolbox/error/optimizingtoolbox/status/extracting-imagesextractImages_%04d.jpg%04d.pngutils.pswater.pstoolbox/status/adding-watermarkaddWatermark_ "-dWatermarkStr= "-sWatermarkFont= -dWatermarkFontScale= -dWatermarkAngle= -dWatermarkColorR= -dWatermarkColorG= -dWatermarkColorB= -dWatermarkColorA= -dWatermarkZPos= -dWatermarkPos= -dWatermarkMarginX= -dWatermarkMarginY= -fpageNum.pstoolbox/status/adding-page-numbersaddPageNumbers_ "-dPageNumPattern= "-sPageNumFont= -dPageNumFontScale= -dPageNum
Source: pdf24-Toolbox.exe	String found in binary or memory: .pdftxt.txtpdfpng.png.ArrayObjectgetStrgetIntgetLonggetDwordgetQwordgetDoublegetBoolsetStrsetIntsetLongsetDwordsetQwordsetDoublesetBoolpdf24Software\PDF24\IWebBrowser2text/application/jsonUrl extract error: %dmethodheadersautoRedirectreloadnoCacheWritenoAuthnoCookiesignoreCertCnInvalidignoreCertDateInvalidinternetFlagsreceiveTimeoutsendTimeoutdataTypedataTransferEncodingdataData extract error: %dUnsupported data type for member '%s': %dUnsupported data type: %dresponseMaxSizesuccesserrorMsgerrorCodestatusCoderedirectedUrlremoteIpreturnResponseHeadersreturnRequestHeadersrequestHeadersdataSizedataSizeRealdataIsTruncatedContent-TyperesponseAsBinaryUTF-8responseCharsetcharsetdataEncodingdataIsBinarybase64callbackkey0key1key2lengthkey3This is an argumentXXXXresultnameversionlanginstallIduserIdcreatorIdosVersionlcidarchinstallerisCustomBannerpdf24:bannercustomBannerSrccustomBannerUrlpdf24-Updater.exeebb_existssizelastmodmimeTypetext/textcreatorassistantsettingsupdaterlauncherpdf24-Launcher.exereaderdocToolfileTools-showFileUi<screen>https://fax.pdf24.orgsendFaxfaxouthttps://faxout.pdf24.orgonlineToolshttps://tools.pdf24.orgoutputProfileManagerabouttestgetAppInfofetchUrladdTextContentTypesetAsyncJobWorkerCountshowEmbeddedBrowserisEmbeddedBrowserVisiblegetLangValueshowAboutcheckForUpdatesopenSettingsconfigopenOutputProfilescreateTempFileappendTempFilegetFileInfoloadFromUrlopenAppgetFileSizegetModuleFileNamehasFeatureforceForegroundgetFileUrlbmpimage/bmpimage/pngjpgimage/jpeggifimage/gifcsstext/cssjstext/javascripthtmltext/htmltext/plainjsonapplication/pdfwoffapplication/font-woffwoff2application/font-woff2ttfapplication/font-ttfeotapplication/vnd.ms-fontobjectsvgimage/svg+xmlapplication/octet-streampdf24://bannerpdf24://res/pdf24://file/abs/File not found: %spdf24://file/tmp/pdf24://file/inst/Installation directory config value is emptyP_
Source: pdf24-Toolbox.exe	String found in binary or memory: .pdftxt.txtpdfpng.png.ArrayObjectgetStrgetIntgetLonggetDwordgetQwordgetDoublegetBoolsetStrsetIntsetLongsetDwordsetQwordsetDoublesetBoolpdf24Software\PDF24\IWebBrowser2text/application/jsonUrl extract error: %dmethodheadersautoRedirectreloadnoCacheWritenoAuthnoCookiesignoreCertCnInvalidignoreCertDateInvalidinternetFlagsreceiveTimeoutsendTimeoutdataTypedataTransferEncodingdataData extract error: %dUnsupported data type for member '%s': %dUnsupported data type: %dresponseMaxSizesuccesserrorMsgerrorCodestatusCoderedirectedUrlremoteIpreturnResponseHeadersreturnRequestHeadersrequestHeadersdataSizedataSizeRealdataIsTruncatedContent-TyperesponseAsBinaryUTF-8responseCharsetcharsetdataEncodingdataIsBinarybase64callbackkey0key1key2lengthkey3This is an argumentXXXXresultnameversionlanginstallIduserIdcreatorIdosVersionlcidarchinstallerisCustomBannerpdf24:bannercustomBannerSrccustomBannerUrlpdf24-Updater.exeebb_existssizelastmodmimeTypetext/textcreatorassistantsettingsupdaterlauncherpdf24-Launcher.exereaderdocToolfileTools-showFileUi<screen>https://fax.pdf24.orgsendFaxfaxouthttps://faxout.pdf24.orgonlineToolshttps://tools.pdf24.orgoutputProfileManagerabouttestgetAppInfofetchUrladdTextContentTypesetAsyncJobWorkerCountshowEmbeddedBrowserisEmbeddedBrowserVisiblegetLangValueshowAboutcheckForUpdatesopenSettingsconfigopenOutputProfilescreateTempFileappendTempFilegetFileInfoloadFromUrlopenAppgetFileSizegetModuleFileNamehasFeatureforceForegroundgetFileUrlbmpimage/bmpimage/pngjpgimage/jpeggifimage/gifcsstext/cssjstext/javascripthtmltext/htmltext/plainjsonapplication/pdfwoffapplication/font-woffwoff2application/font-woff2ttfapplication/font-ttfeotapplication/vnd.ms-fontobjectsvgimage/svg+xmlapplication/octet-streampdf24://bannerpdf24://res/pdf24://file/abs/File not found: %spdf24://file/tmp/pdf24://file/inst/Installation directory config value is emptyP_

Source: pdf24-Toolbox.exe

Static PE information: certificate valid

Source: pdf24-Toolbox.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: pdf24-Toolbox.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_00000001400251B0 IsIconic,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014004AD50 FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014006C118 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014006C118 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014006CC40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014006D140 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\pdf24-Toolbox.exe	Code function: 0_2_000000014006D324 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_0000000140003F60 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,CreateMutexW,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014004DE10 GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,GetLastError,CloseHandle,SetLastError,

Source: C:\Users\user\Desktop\pdf24-Toolbox.exe

Code function: 0_2_000000014006D390 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Application Window Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pdf24-Toolbox.exe	0%	Virustotal		Browse
pdf24-Toolbox.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mailout.pdf24.orgaction=newMail	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://fax.pdf24.orgsendFaxfaxouthttps://faxout.pdf24.orgonlineToolshttps://tools.pdf24.orgoutputPr	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://tools.pdf24.org	pdf24-Toolbox.exe	false		high
https://mailout.pdf24.orgaction=newMail	pdf24-Toolbox.exe	false	Avira URL Cloud: safe	low
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	pdf24-Toolbox.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://faxout.pdf24.org	pdf24-Toolbox.exe	false		high
https://sectigo.com/CPS0	pdf24-Toolbox.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://fax.pdf24.orgsendFaxfaxouthttps://faxout.pdf24.orgonlineToolshttps://tools.pdf24.orgoutputPr	pdf24-Toolbox.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	pdf24-Toolbox.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://fax.pdf24.org	pdf24-Toolbox.exe	false		high
https://mailout.pdf24.org	pdf24-Toolbox.exe	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	pdf24-Toolbox.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://creator.pdf24.org/inapp/toolbox/	pdf24-Toolbox.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	398562
Start date:	27.04.2021
Start time:	17:46:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	pdf24-Toolbox.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.5% (good quality ratio 2%) Quality average: 38.3% Quality standard deviation: 23.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Execution Graph export aborted for target pdf24-Toolbox.exe, PID 7088 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.17258998620654
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pdf24-Toolbox.exe
File size:	783552
MD5:	76bfc70c6c6b7e4b14fe4e141e9080e5
SHA1:	c136f24e5644e08451d78ea5f1d36272f12f422b
SHA256:	93b37a163dace60c9e4d4e0a804421c31c07f964bcd1ca8720947dd6d98481ee
SHA512:	ad3637ce13fbc93842a45fc5e56c598174e0515a88be681d12005323a23aa242c44a75cc84c93b76d325f26f05753f013ae734681c34c9ab64d296c329126f27
SSDEEP:	12288:D5iacnm6tItJSOQk6YSYvOE4zBoQN6bqW4P:D5iTntItJSBkkYN4zqFbqrP
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........~z...)...)...)...)...)Vx.)...)v..(...)v..(...)v..(...)v..(...)...(...)...(...)...(...)...(...)_..(...)_..(...)...)...)_..(...

File Icon


Icon Hash:	39f0f06466ec9db2

Static PE Info

General
Entrypoint:	0x14006c844
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x605CC39B [Thu Mar 25 17:08:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	cffb94a31e78f5254583fdb73c1307c7

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/23/2020 2:00:00 AM 9/24/2023 1:59:59 AM
Subject Chain	CN=geek software GmbH, O=geek software GmbH, STREET=Friedrichstr. 171, L=Berlin, PostalCode=10117, C=DE
Version:	3
Thumbprint MD5:	ACCCE45D14FE962D257136EB210BE175
Thumbprint SHA-1:	C272949D759E8B1BDA060922CF6E4281C517E7F2
Thumbprint SHA-256:	88C3F23B3C7B01BB68112C2EF6E3893A6C90BDE22F4B56382C8EEA6D0992466B
Serial:	7B70689C80A3B5B20BDE0B06301B7E1C

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3124C84BC8h
dec eax
add esp, 28h
jmp 00007F3124C83EFFh
int3
int3
jmp 00007F3124C83A48h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
mov edx, 00000FA0h
dec eax
lea ecx, dword ptr [0003172Ah]
call dword ptr [0000B834h]
dec eax
lea ecx, dword ptr [0000FC2Dh]
call dword ptr [0000BA1Fh]
dec eax
mov ebx, eax
dec eax
test eax, eax
jne 00007F3124C84097h
dec eax
lea ecx, dword ptr [0000FC60h]
call dword ptr [0000BA0Ah]
dec eax
mov ebx, eax
dec eax
test eax, eax
je 00007F3124C84101h
dec eax
lea edx, dword ptr [0000FC6Bh]
dec eax
mov ecx, ebx
call dword ptr [0000BA12h]
dec eax
lea edx, dword ptr [0000FC7Bh]
dec eax
mov ecx, ebx
dec eax
mov edi, eax
call dword ptr [0000B9FFh]
dec eax
test edi, edi
je 00007F3124C84097h
dec eax
test eax, eax
je 00007F3124C84092h
dec eax
mov dword ptr [000316EEh], edi
dec eax
mov dword ptr [000316EFh], eax
jmp 00007F3124C840A0h
inc ebp
xor ecx, ecx
inc ebp
xor eax, eax
xor ecx, ecx
inc ecx
lea edx, dword ptr [ecx+01h]
call dword ptr [0000B7DBh]
dec eax
mov dword ptr [0003169Ch], eax
dec eax
test eax, eax
je 00007F3124C840A6h
xor ecx, ecx
call 00007F3124C83A69h
test al, al
je 00007F3124C8409Bh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96530	0x258	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa5000	0x1c418	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9f000	0x5034	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbd400	0x20c0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x840a0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x84280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x840e0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x78000	0xe08	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x76344	0x76400	False	0.448799633325	data	6.31023433023	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x78000	0x223e4	0x22400	False	0.360700843978	COM executable for DOS	5.10038922665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9b000	0x3e78	0x3000	False	0.178304036458	data	4.68857967786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x9f000	0x5034	0x5200	False	0.469559832317	data	5.7019651739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa5000	0x1c418	0x1c600	False	0.294655148678	data	4.35419083691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa51f0	0x3906	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xa8af8	0x10828	data	English	United States
RT_ICON	0xb9320	0x4228	data	English	United States
RT_ICON	0xbd548	0x25a8	data	English	United States
RT_ICON	0xbfaf0	0x10a8	data	English	United States
RT_ICON	0xc0b98	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0xc1000	0x5a	data	English	United States
RT_MANIFEST	0xc1060	0x3b5	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
Language.dll	?lang_getCurrent@@YAXAEAULangInfo@@@Z, ?lang_hasStr@@YA_NPEB_W@Z, ?lang_getStr@@YAAEBVZString@@PEB_W@Z
FormatOptions.dll	?formatOptions_create@@YAPEAVFormatOptions@@XZ
Settings.dll	?config_getDouble@@YANPEB_WN@Z, ?config_getQword@@YA_KPEB_W_K@Z, ?config_hasQword@@YA_NPEB_W@Z, ?config_getDword@@YAKPEB_WK@Z, ?config_hasDword@@YA_NPEB_W@Z, ?config_getLong@@YA_JPEB_W_J@Z, ?config_hasLong@@YA_NPEB_W@Z, ?config_getInt@@YAHPEB_WH@Z, ?config_hasInt@@YA_NPEB_W@Z, ?config_hasStr@@YA_NPEB_W@Z, ?userConfig_setStr@@YAXPEB_WAEBVZString@@@Z, ?progConfig_getBool@@YA_NPEB_W_N@Z, ?config_hasBool@@YA_NPEB_W@Z, ?userConfig_getStr@@YA?AVZString@@PEB_WAEBV1@@Z, ?config_getStr@@YA?AVZString@@PEB_WAEBV1@@Z, ?userConfig_setDword@@YAXPEB_WK@Z, ?userConfig_setQword@@YAXPEB_W_K@Z, ?userConfig_setLong@@YAXPEB_W_J@Z, ?userConfig_setInt@@YAXPEB_WH@Z, ?userConfig_setDouble@@YAXPEB_WN@Z, ?userConfig_setBool@@YAXPEB_W_N@Z, ?config_getBool@@YA_NPEB_W_N@Z, ?progConfig_getStr@@YA?AVZString@@PEB_WAEBV1@@Z, ?config_hasDouble@@YA_NPEB_W@Z
zlib.dll	inflateInit2_, deflateInit_, deflate, deflateEnd, inflateInit_, inflate, inflateEnd, crc32
gdiplus.dll	GdipImageGetFrameDimensionsList, GdipSaveImageToStream, GdipGetImageRawFormat, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipSetImagePalette, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipImageGetFrameCount, GdipLoadImageFromFile, GdipImageSelectActiveFrame, GdiplusStartup, GdipFree, GdipAlloc, GdipSaveImageToFile, GdipGetPropertyItemSize, GdipGetPropertyItem, GdiplusShutdown, GdipCloneImage, GdipGetImageEncodersSize, GdipGetImageEncoders
WININET.dll	InternetSetOptionW, HttpOpenRequestW, InternetWriteFile, HttpEndRequestW, InternetSetStatusCallbackW, HttpQueryInfoW, InternetOpenW, InternetConnectW, HttpSendRequestExW, InternetReadFile, HttpAddRequestHeadersW, InternetCloseHandle, InternetQueryOptionW
SHLWAPI.dll	PathRemoveExtensionW, PathIsDirectoryW, PathFileExistsW, PathFindFileNameW
KERNEL32.dll	DeleteFileW, GlobalLock, IsDebuggerPresent, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, FormatMessageW, GetExitCodeProcess, CreateProcessW, SetLastError, CreateNamedPipeW, PeekNamedPipe, TerminateProcess, WideCharToMultiByte, WriteFile, ReadFile, ExpandEnvironmentStringsW, SetEnvironmentVariableW, GetEnvironmentVariableW, QueryPerformanceCounter, GetStdHandle, SetConsoleOutputCP, SetConsoleTitleW, AllocConsole, GetFileTime, RemoveDirectoryW, CopyFileW, GetFullPathNameW, GetFileSizeEx, GetTickCount, GetTempPathW, CreateFileW, FindClose, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, WaitForSingleObject, FindNextFileW, FindFirstFileW, MulDiv, lstrcpyW, GlobalUnlock, CloseHandle, GetLastError, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, Sleep, CreateThread, TerminateThread, GetExitCodeThread, SuspendThread, ResumeThread, FreeLibrary, GetModuleFileNameW, GetModuleHandleW, LocalFree, MultiByteToWideChar, CreateMutexW, GetProcAddress, GetBinaryTypeW, GetUserDefaultLCID, CreateDirectoryW, GetCurrentProcessId, GetCurrentThreadId, SizeofResource, LockResource, LoadResource, FindResourceW, LoadLibraryW, LocalAlloc, GlobalSize
USER32.dll	SetCapture, IsZoomed, BringWindowToTop, GetCapture, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, ReleaseCapture, SetRect, GetMonitorInfoW, MonitorFromWindow, SetWindowPos, MoveWindow, ShowWindow, DestroyWindow, IsChild, IsWindow, RegisterClassExW, PostQuitMessage, DefWindowProcW, SendMessageW, DispatchMessageW, TranslateMessage, GetMessageW, GetDlgCtrlID, GetSystemMetrics, GetCursorPos, GetDesktopWindow, AdjustWindowRectEx, GetFocus, FillRect, CreateWindowExW, GetClassInfoExW, EnableWindow, GetWindowThreadProcessId, MessageBoxW, GetScrollBarInfo, GetScrollInfo, SetScrollInfo, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, GetTopWindow, GetClassNameW, SetParent, GetParent, SetWindowLongPtrW, GetWindowLongPtrW, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, GetClientRect, SetWindowTextW, EnableScrollBar, ShowScrollBar, SetScrollRange, GetScrollPos, SetScrollPos, RedrawWindow, InvalidateRect, ReleaseDC, GetWindowDC, GetDC, SetForegroundWindow, SwitchToThisWindow, GetForegroundWindow, UpdateWindow, SetMenu, GetMenu, LoadMenuW, KillTimer, SetTimer, PostMessageW
GDI32.dll	DeleteObject, CreateSolidBrush, CreateFontIndirectW, GetStockObject, GetDeviceCaps, AddFontResourceExW
COMDLG32.dll	GetSaveFileNameW
ADVAPI32.dll	InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExW, RegCloseKey
SHELL32.dll	ShellExecuteW, CommandLineToArgvW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW
ole32.dll	CoInitializeEx, OleInitialize, CoTaskMemAlloc, OleLockRunning, OleSetContainedObject, OleCreate, GetHGlobalFromStream, CreateStreamOnHGlobal, OleRun, CoCreateInstance, CLSIDFromProgID
OLEAUT32.dll	VariantClear, VariantInit, VariantCopy, VariantChangeType, SysFreeString, SysAllocString
MSVCP140.dll	?_Xlength_error@std@@YAXPEBD@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ, ??Bid@locale@std@@QEAA_KXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??1_Lockit@std@@QEAA@XZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??0_Lockit@std@@QEAA@H@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?seekpos@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@V32@H@Z, ?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z, ?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z, ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IEAAXPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z, ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?_Random_device@std@@YAIXZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z, ?unget@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z, ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
urlmon.dll	CoInternetGetSession
VCRUNTIME140.dll	memmove, __current_exception_context, __current_exception, __C_specific_handler, memset, memcpy, _purecall, __std_terminate, __std_exception_copy, __std_exception_destroy, _CxxThrowException
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _register_onexit_function, _initialize_onexit_table, _seh_filter_exe, _set_app_type, _configure_wide_argv, _invalid_parameter_noinfo_noreturn, _initialize_wide_environment, _get_wide_winmain_command_line, terminate, _register_thread_local_exe_atexit_callback, _c_exit, _exit, exit, _initterm_e, _initterm, _cexit
api-ms-win-crt-heap-l1-1-0.dll	free, malloc, _callnewh, _set_new_mode
api-ms-win-crt-stdio-l1-1-0.dll	fwrite, setvbuf, ungetc, fread, fputc, fgetpos, fgetc, _wfopen, setbuf, _wfreopen, _set_fmode, __acrt_iob_func, __stdio_common_vfwprintf, __stdio_common_vswprintf_s, __stdio_common_vfprintf, __stdio_common_vsprintf, putchar, fflush, fclose, __p__commode, _get_stream_buffer_pointers, fsetpos, __stdio_common_vswprintf, _fseeki64
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-math-l1-1-0.dll	floor, __setusermatherr, sin, cos, ceil
api-ms-win-crt-time-l1-1-0.dll	wcsftime, _localtime64, _time64
api-ms-win-crt-string-l1-1-0.dll	towlower, towupper, _wcsicmp
api-ms-win-crt-convert-l1-1-0.dll	_wtof, atoi, strtod, _ultow, _ltow, _itow, wcstol, _itoa
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
About.dll	?about_show@@YAXPEAUHWND__@@@Z

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: pdf24-Toolbox.exe PID: 7088 Parent PID: 5912

General

Start time:	17:47:46
Start date:	27/04/2021
Path:	C:\Users\user\Desktop\pdf24-Toolbox.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\pdf24-Toolbox.exe'
Imagebase:	0x140000000
File size:	783552 bytes
MD5 hash:	76BFC70C6C6B7E4B14FE4E141E9080E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report pdf24-Toolbox.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Spreading:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: pdf24-Toolbox.exe PID: 7088 Parent PID: 5912

General

Disassembly

Code Analysis