Play interactive tour

Edit tour

Windows Analysis Report pdfmain.dll

Overview

General Information

Sample Name:	pdfmain.dll (renamed file extension from dll to exe)
Analysis ID:	449073
MD5:	bc975bb6627c055c3319c8eeab47548e
SHA1:	8b3c741982b7006791299fadae13517f311a4f15
SHA256:	91e12799063d4723b2dc42e5f6c8eb0d6d9c1d0678fae306dd2e2324ef959ac8
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Contains functionality to dynamically determine API calls

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

pdfmain.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\pdfmain.exe' MD5: BC975BB6627C055C3319C8EEAB47548E)

conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: pdfmain.exe

Virustotal: Detection: 10%

Perma Link

Source: pdfmain.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: pdfmain.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal56.evad.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_01

Source: C:\Users\user\Desktop\pdfmain.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pdfmain.exe

Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\pdfmain.exe 'C:\Users\user\Desktop\pdfmain.exe'
Source: C:\Users\user\Desktop\pdfmain.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\pdfmain.exe

Unpacked PE file: 0.2.pdfmain.exe.400000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;UPX2:W; vs Unknown_Section0:ER;Unknown_Section1:ER;UPX2:W;

Source: C:\Users\user\Desktop\pdfmain.exe

Code function: 0_2_00401023 GetModuleFileNameA,_splitpath,_makepath,LoadLibraryA,GetProcAddress,GetProcAddress,75974600,fprintf,GetProcAddress,GetProcAddress,FreeLibrary,75974600,fprintf,

0_2_00401023

Source: initial sample

Static PE information: section where entry point is pointing to: 1

Source: pdfmain.exe	Static PE information: section name: 0
Source: pdfmain.exe	Static PE information: section name: 1
Source: pdfmain.exe	Static PE information: section name: UPX2

Source: initial sample

Static PE information: section name: 1 entropy: 6.93983949341

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\pdfmain.exe

API call chain: ExitProcess graph end node

graph_0-89

Source: C:\Users\user\Desktop\pdfmain.exe

Code function: 0_2_00401023 GetModuleFileNameA,_splitpath,_makepath,LoadLibraryA,GetProcAddress,GetProcAddress,75974600,fprintf,GetProcAddress,GetProcAddress,FreeLibrary,75974600,fprintf,

0_2_00401023

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Software Packing11	OS Credential Dumping	System Information Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
pdfmain.exe	10%	Virustotal	Browse
pdfmain.exe	0%	Metadefender	Browse
pdfmain.exe	7%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.pdfmain.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.pdfmain.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	449073
Start date:	15.07.2021
Start time:	07:40:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pdfmain.dll (renamed file extension from dll to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 58.3%) Quality average: 41.4% Quality standard deviation: 40.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\pdfmain.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.4102292316937
Encrypted:	false
SSDEEP:	3:6zLVqL2wOWXp5vVBLVH:0jPWXpF1H
MD5:	EA03892B94E1403DA723E606DDFA17B6
SHA1:	54C7011C12F35FB41EBD242E0ACFDAA88F716D14
SHA-256:	943D73F280EEBC9E3890ECB063DF6EFC75F3E3CBE76F636F09D6F74A471F2656
SHA-512:	0135FF0A3399C890D7F63B93D4479C3B3E40D7617EEEA05311A744D4F261D325F0A484124D326A92C5023AD3DBC585DA7A9730696BF74C1BEA808C995CDB9691
Malicious:	false
Reputation:	low
Preview:	could not open C:\Users\user\Desktop\pdf2vec.dll

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.940965822296286
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pdfmain.exe
File size:	3072
MD5:	bc975bb6627c055c3319c8eeab47548e
SHA1:	8b3c741982b7006791299fadae13517f311a4f15
SHA256:	91e12799063d4723b2dc42e5f6c8eb0d6d9c1d0678fae306dd2e2324ef959ac8
SHA512:	b8dbcd3433e5f446bb2b99df50e45bb689685694cc56516782dbd2db4e3b2e242418c160ba8aaa4543405d52707006e1d26b8934b463e8651409b47abcc1f413
SSDEEP:	48:C22VEKP6HDjaWYE498uaK7DxbSeJY8JTaChsBC:AVEKP6HP3ZcHT7DxJhsg
File Content Preview:	MZ......................@...............................................!..L.!This www.verypdf.combe run in DOS mode....$.........J...$...$...$.......$.\|.*...$... ...$...%...$...7...$.......$.Rich..$.........PE..L......G.........................@...S...P.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4053f0
Entrypoint Section:	1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47AD92EE [Sat Feb 9 11:47:58 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68fbbebb05615841b7832139f3545a57

Entrypoint Preview

Instruction
pushad
mov esi, 00405000h
lea edi, dword ptr [esi-00004000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FF0B8A67892h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FF0B8A67889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF0B8A6786Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FF0B8A67889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FF0B8A67871h
jne 00007FF0B8A6788Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FF0B8A67866h
xor ecx, ecx
sub eax, 03h
jc 00007FF0B8A6788Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FF0B8A678F6h
mov ebp, eax
add ebx, ebx
jne 00007FF0B8A67889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007FF0B8A67889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007FF0B8A678A2h
inc ecx
add ebx, ebx
jne 00007FF0B8A67889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FF0B8A67871h
jne 00007FF0B8A6788Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FF0B8A67866h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FF0B8A67891h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007FF0B8A67879h
jmp 00007FF0B8A677E8h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0xb4	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
0	0x1000	0x4000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
1	0x5000	0x1000	0x600	False	0.875	data	6.93983949341	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
UPX2	0x6000	0x1000	0x200	False	0.25	data	1.6070962666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
MSVCRT.dll	_iob

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• pdfmain.exe
• conhost.exe

Click to jump to process

Memory Usage

• pdfmain.exe
• conhost.exe

Click to jump to process

Behavior

• pdfmain.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: pdfmain.exe PID: 1744 Parent PID: 5556

Function Logs

General

Start time:	07:41:12
Start date:	15/07/2021
Path:	C:\Users\user\Desktop\pdfmain.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\pdfmain.exe'
Imagebase:	0x400000
File size:	3072 bytes
MD5 hash:	BC975BB6627C055C3319C8EEAB47548E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 2168 Parent PID: 1744

Function Logs

General

Start time:	07:41:13
Start date:	15/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Section Activities

Registry Activities

Show Windows behavior

Mutex Activities

Process Activities

Show Windows behavior

Thread Activities

Memory Activities

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: pdfmain.exe PID: 1744 Parent PID: 5556 pdfmain.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	55%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.7%
Total number of Nodes:	27
Total number of Limit Nodes:	2

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401023, Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 107
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,00000000,000007D0), ref: 00401043
_splitpath.MSVCRT ref: 00401069
_makepath.MSVCRT ref: 0040108B
LoadLibraryA.KERNELBASE(00000000), ref: 0040109B
GetProcAddress.KERNEL32(00000000,pstoedit_checkversion), ref: 004010B7
fprintf.MSVCRT ref: 004010D8
GetProcAddress.KERNEL32(00000000,setPstoeditOutputFunction), ref: 004010EB
GetProcAddress.KERNEL32(00000000,pstoedit_plainC), ref: 00401102
FreeLibrary.KERNEL32(00000000), ref: 00401116
fprintf.MSVCRT ref: 0040115F

Strings

pdf2vec, xrefs: 0040107A
.dll, xrefs: 0040106F
could not find pstoedit_checkversion in %s, xrefs: 00401143
setPstoeditOutputFunction, xrefs: 004010E5
could not find setPstoeditOutputFunction in %s, xrefs: 00401135
wrong version of pstoedit.dll found, xrefs: 004010CF
could not open %s, xrefs: 00401151
pstoedit_plainC, xrefs: 004010FC
could not find pstoedit_plainC in %s, xrefs: 00401127
pstoedit_checkversion, xrefs: 004010B1

Memory Dump Source

Source File: 00000000.00000002.203265298.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203261753.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203270567.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.203275067.0000000000405000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.203278886.0000000000406000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pdfmain.jbxd

Similarity

API ID: AddressProc$Libraryfprintf$FileFreeLoadModuleName_makepath_splitpath
String ID: .dll$could not find pstoedit_checkversion in %s$could not find pstoedit_plainC in %s$could not find setPstoeditOutputFunction in %s$could not open %s$pdf2vec$pstoedit_checkversion$pstoedit_plainC$setPstoeditOutputFunction$wrong version of pstoedit.dll found
API String ID: 4140879771-2740106493
Opcode ID: 3194b688d0f4392e987302e1e5734d7adb930b1f98998eacfc58471c0247877f
Instruction ID: 6b70c2735132db6c0811c1d1ed400c5f67a4c222332be345858f8f0c234fc4bf
Opcode Fuzzy Hash: 3194b688d0f4392e987302e1e5734d7adb930b1f98998eacfc58471c0247877f
Instruction Fuzzy Hash: BD319072940319ABEB109B90DF49F9A37BCAB08700F144173F705F51D0DAB8AA45DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040116F, Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E0040116F(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr* _t20;
				void* _t22;
				int _t31;
				intOrPtr* _t32;
				intOrPtr _t39;
				void* _t45;
				intOrPtr _t47;

				 *[fs:0x0] = _t47;
				_v28 = _t47 - 0x20;
				_v8 = _v8 & 0x00000000;
				 *0x402050(1, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b0, 0x402178, 0xffffffff, _t45);
				 *0x403030 =  *0x403030 | 0xffffffff;
				 *0x403034 =  *0x403034 | 0xffffffff;
				 *((intOrPtr*)( *0x40204c())) =  *0x40302c;
				 *((intOrPtr*)( *0x402048())) =  *0x403028;
				_t20 =  *0x402044; // 0x75976be4
				 *0x403038 =  *_t20;
				_t22 = E004012A1( *_t20);
				if( *0x403010 == 0) {
					_t22 =  *0x402040(E0040129E);
				}
				E0040128C(_t22);
				L00401286();
				_v44 =  *0x403024;
				 *0x402038( &_v32,  &_v48,  &_v36,  *0x403020,  &_v44, 0x403008, 0x40300c);
				L00401286();
				 *((intOrPtr*)( *0x402034(0x403000, 0x403004))) = _v36;
				_push(_v36);
				_t31 = E00401023(_v32, _v48); // executed
				_v40 = _t31;
				exit(_t31); // executed
				_t32 = _v24;
				_t39 =  *((intOrPtr*)( *_t32));
				_v52 = _t39;
				_push(_t32);
				_push(_t39);
				L00401280();
				return _t32;
			}

0x00401185
0x00401192
0x00401195
0x0040119b
0x004011a2
0x004011a9
0x004011bc
0x004011ca
0x004011cc
0x004011d3
0x004011d8
0x004011e4
0x004011eb
0x004011f1
0x004011f2
0x00401201
0x0040120b
0x00401224
0x00401234
0x00401242
0x00401244
0x0040124d
0x00401255
0x00401259
0x0040125f
0x00401264
0x00401266
0x00401269
0x0040126a
0x0040126b
0x00401272

APIs

__set_app_type.MSVCRT ref: 0040119B
__p__fmode.MSVCRT ref: 004011B0
__p__commode.MSVCRT ref: 004011BE
__setusermatherr.MSVCRT ref: 004011EB
_initterm.MSVCRT ref: 00401201
__getmainargs.MSVCRT ref: 00401224
_initterm.MSVCRT ref: 00401234
__p___initenv.MSVCRT ref: 00401239
exit.KERNELBASE ref: 00401259
_XcptFilter.MSVCRT ref: 0040126B

Memory Dump Source

Source File: 00000000.00000002.203265298.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203261753.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203270567.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.203275067.0000000000405000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.203278886.0000000000406000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pdfmain.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 167530163-0
Opcode ID: e8652e79f381f3d0d47ef0d7842fc62d13816e44932fc3919f71db45f8461b47
Instruction ID: 73729b73f593aa2b9388828e54b0efc7aae5433e784185558f832ef32fea5106
Opcode Fuzzy Hash: e8652e79f381f3d0d47ef0d7842fc62d13816e44932fc3919f71db45f8461b47
Instruction Fuzzy Hash: EF310C75902304EFCB14DFA4DE49A9A7FB8FB09325F10426AF611B62F0DB785900CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004053F0, Relevance: 7.7, APIs: 5, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			_entry_(intOrPtr __eflags, intOrPtr _a92, signed int _a112) {
				intOrPtr* _v24;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v132;
				intOrPtr _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				signed int _t40;
				struct HINSTANCE__* _t41;
				unsigned int _t42;
				char _t52;
				signed char* _t54;
				long _t55;
				char* _t58;
				intOrPtr* _t63;
				void* _t65;
				int _t74;
				intOrPtr* _t75;
				signed char _t80;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				char* _t91;
				signed char _t92;
				void* _t93;
				intOrPtr _t100;
				intOrPtr* _t105;
				signed char _t106;
				unsigned int* _t107;
				CHAR* _t109;
				void* _t110;
				char* _t111;
				intOrPtr* _t112;
				unsigned int* _t113;
				signed int _t114;
				struct HINSTANCE__* _t115;
				unsigned int _t116;
				DWORD* _t118;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t129;
				intOrPtr _t132;

				_t122 = __eflags;
				asm("pushad");
				_t112 = 0x405000;
				_t1 = _t112 - 0x4000; // 0x401000
				_t106 = _t1;
				_push(_t106);
				_t115 = _t114 | 0xffffffff;
				while(1) {
					_t83 =  *_t112;
					_push(ds);
					_t112 = _t112 - 0xfffffffc;
					asm("adc ebx, ebx");
					do {
						if(_t122 < 0) {
							_t34 =  *_t112;
							_t112 = _t112 + 1;
							 *_t106 = _t34;
							_t106 = _t106 + 1;
							__eflags = _t106;
							goto L5;
						}
						goto L10;
						do {
							do {
								L10:
								_t84 = _t83 + _t83;
								if(_t84 == 0) {
									_t84 =  *_t112;
									_t112 = _t112 - 0xfffffffc;
									asm("adc ebx, ebx");
								}
								asm("adc eax, eax");
								_t83 = _t84 + _t84;
								_t124 = _t83;
							} while (_t124 >= 0);
							if(_t124 != 0) {
								break;
							}
							_t83 =  *_t112;
							_t112 = _t112 - 0xfffffffc;
							asm("adc ebx, ebx");
						} while (_t112 >= 0);
						_t92 = 0;
						if(0xfffffffffffffffe < 0) {
							L18:
							_t85 = _t83 + _t83;
							if(_t85 == 0) {
								_t85 =  *_t112;
								_t112 = _t112 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc ecx, ecx");
							_t83 = _t85 + _t85;
							_t129 = _t83;
							if(_t129 == 0) {
								_t83 =  *_t112;
								_t112 = _t112 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc ecx, ecx");
							if(_t129 != 0) {
								L30:
								asm("adc ecx, 0x1");
								_t105 = _t115 + _t106;
								if(_t115 <= 0xfffffffc) {
									do {
										_t37 =  *_t105;
										_t105 = _t105 + 4;
										 *_t106 = _t37;
										_t106 = _t106 + 4;
										_t92 = _t92 - 4;
										__eflags = _t92;
									} while (_t92 > 0);
									_t106 = _t106 + _t92;
									goto L5;
								} else {
									goto L31;
								}
								do {
									L31:
									_t38 =  *_t105;
									_t105 = _t105 + 1;
									 *_t106 = _t38;
									_t106 = _t106 + 1;
									_t92 = _t92 - 1;
								} while (_t92 != 0);
								goto L5;
							}
							_t93 = _t92 + 1;
							goto L24;
							do {
								do {
									L24:
									_t86 = _t83 + _t83;
									if(_t86 == 0) {
										_t86 =  *_t112;
										_t112 = _t112 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									asm("adc ecx, ecx");
									_t83 = _t86 + _t86;
									_t132 = _t83;
								} while (_t132 >= 0);
								if(_t132 != 0) {
									break;
								}
								_t83 =  *_t112;
								_t112 = _t112 - 0xfffffffc;
								asm("adc ebx, ebx");
							} while (_t112 >= 0);
							_t92 = _t93 + 2;
							goto L30;
						}
						_t40 =  *_t112;
						_t112 = _t112 + 1;
						_t41 = _t40 ^ 0xffffffff;
						if(_t41 == 0) {
							_pop(_t113);
							_t107 = _t113;
							goto L36;
							do {
								do {
									L36:
									_t42 =  *_t107;
									_t107 =  &(_t107[0]);
									__eflags = _t42 - 0xe8 - 1;
								} while (_t42 - 0xe8 > 1);
								__eflags =  *_t107;
							} while ( *_t107 != 0);
							asm("rol eax, 0x10");
							 *_t107 = ( *_t107 >> 8) - _t107 + _t113;
							__eflags =  &(_t107[1]);
							asm("loop 0xffffffdb");
							_t20 =  &(_t113[0xc00]); // 0x404000
							_t109 = _t20;
							while(1) {
								L39:
								_t52 =  *_t109;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								_t21 =  &(_t109[4]); // 0x1000
								_t91 = _t113 +  *_t21;
								_t111 =  &(_t109[8]);
								__eflags = _t111;
								_t115 = LoadLibraryA( &(_t113[0x1400]) + _t52);
								while(1) {
									_t109 =  &(_t111[1]);
									_t80 =  *_t111;
									__eflags = _t80;
									if(_t80 == 0) {
										goto L39;
									}
									asm("repne scasb");
									_t52 = GetProcAddress(_t115, _t109);
									__eflags = _t52;
									if(_t52 == 0) {
										ExitProcess();
									}
									 *_t91 = _t52;
									_t91 =  &(_t91[4]);
								}
							}
							_t116 = _t113[0x1411];
							_t29 = _t113 - 0x1000; // 0x400000
							_t110 = _t29;
							VirtualProtect(_t110, 0x1000, 4, _t118);
							_t30 = _t110 + 0x1ef; // 0x4001ef
							_t54 = _t30;
							 *_t54 =  *_t54 & 0x0000007f;
							_t31 =  &(_t54[0x28]);
							 *_t31 = _t54[0x28] & 0x0000007f;
							__eflags =  *_t31;
							_t55 = _t52;
							_push(_t55);
							VirtualProtect(_t110, 0x1000, _t55, _t118); // executed
							asm("popad");
							_t58 =  &_v132;
							do {
								_push(0);
								__eflags = _t118 - _t58;
							} while (_t118 != _t58);
							_t119 = _t118 - 0xffffff80;
							 *[fs:0x0] = _t119;
							_a92 = _t119 - 0x20;
							_a112 = _a112 & 0x00000000;
							 *0x402050(1, _t110, _t113, 0x1000,  *[fs:0x0], 0x4012b0, 0x402178, 0xffffffff, _t116);
							 *0x403030 =  *0x403030 | 0xffffffff;
							 *0x403034 =  *0x403034 | 0xffffffff;
							 *((intOrPtr*)( *0x40204c())) =  *0x40302c;
							 *((intOrPtr*)( *0x402048())) =  *0x403028;
							_t63 =  *0x402044; // 0x75976be4
							 *0x403038 =  *_t63;
							_t65 = E004012A1( *_t63);
							__eflags =  *0x403010;
							if( *0x403010 == 0) {
								_t65 =  *0x402040(E0040129E);
							}
							E0040128C(_t65);
							L00401286();
							_v44 =  *0x403024;
							 *0x402038( &_v32,  &_v48,  &_v36,  *0x403020,  &_v44, 0x403008, 0x40300c);
							L00401286();
							 *((intOrPtr*)( *0x402034(0x403000, 0x403004))) = _v36;
							_push(_v36);
							_t74 = E00401023(_v32, _v48); // executed
							_v40 = _t74;
							exit(_t74); // executed
							_t75 = _v24;
							_t100 =  *((intOrPtr*)( *_t75));
							_v52 = _t100;
							_push(_t75);
							_push(_t100);
							L00401280();
							return _t75;
						}
						_t115 = _t41;
						goto L18;
						L5:
						_t83 = _t83 + _t83;
						_t122 = _t83;
					} while (_t122 != 0);
				}
			}

0x004053f0
0x004053f0
0x004053f1
0x004053f6
0x004053f6
0x004053fc
0x004053fd
0x00405412
0x00405412
0x00405413
0x00405414
0x00405417
0x00405419
0x00405419
0x00405408
0x0040540a
0x0040540b
0x0040540d
0x0040540d
0x00000000
0x0040540d
0x0040541b
0x00405420
0x00405420
0x00405420
0x00405420
0x00405422
0x00405424
0x00405426
0x00405429
0x00405429
0x0040542b
0x0040542d
0x0040542d
0x0040542d
0x00405431
0x00000000
0x00000000
0x00405433
0x00405435
0x00405438
0x00405438
0x0040543c
0x00405441
0x00405450
0x00405450
0x00405452
0x00405454
0x00405456
0x00405459
0x00405459
0x0040545b
0x0040545d
0x0040545d
0x0040545f
0x00405461
0x00405463
0x00405466
0x00405466
0x00405468
0x0040546a
0x0040548c
0x00405492
0x00405495
0x0040549b
0x004054ac
0x004054ac
0x004054ae
0x004054b1
0x004054b3
0x004054b6
0x004054b6
0x004054b6
0x004054bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040549d
0x0040549d
0x0040549d
0x0040549f
0x004054a0
0x004054a2
0x004054a3
0x004054a3
0x00000000
0x004054a6
0x0040546c
0x0040546c
0x0040546d
0x0040546d
0x0040546d
0x0040546d
0x0040546f
0x00405471
0x00405473
0x00405476
0x00405476
0x00405478
0x0040547a
0x0040547a
0x0040547a
0x0040547e
0x00000000
0x00000000
0x00405480
0x00405482
0x00405485
0x00405485
0x00405489
0x00000000
0x00405489
0x00405446
0x00405448
0x00405449
0x0040544c
0x004054c2
0x004054c3
0x004054c5
0x004054ca
0x004054ca
0x004054ca
0x004054ca
0x004054cc
0x004054cf
0x004054cf
0x004054d3
0x004054d3
0x004054e1
0x004054ed
0x004054ef
0x004054f4
0x004054f6
0x004054f6
0x004054fc
0x004054fc
0x004054fe
0x004054fe
0x00405500
0x00000000
0x00000000
0x00405502
0x0040550c
0x0040550f
0x0040550f
0x00405518
0x00405519
0x0040551b
0x0040551c
0x0040551c
0x0040551e
0x00000000
0x00000000
0x00405524
0x0040552d
0x0040552d
0x0040552f
0x00405538
0x00405538
0x00405531
0x00405533
0x00405533
0x00405519
0x0040553e
0x00405544
0x00405544
0x00405555
0x00405557
0x00405557
0x0040555d
0x00405560
0x00405560
0x00405560
0x00405564
0x00405565
0x0040556a
0x0040556d
0x0040556e
0x00405572
0x00405572
0x00405574
0x00405574
0x00405578
0x00401185
0x00401192
0x00401195
0x0040119b
0x004011a2
0x004011a9
0x004011bc
0x004011ca
0x004011cc
0x004011d3
0x004011d8
0x004011dd
0x004011e4
0x004011eb
0x004011f1
0x004011f2
0x00401201
0x0040120b
0x00401224
0x00401234
0x00401242
0x00401244
0x0040124d
0x00401255
0x00401259
0x0040125f
0x00401264
0x00401266
0x00401269
0x0040126a
0x0040126b
0x00401272
0x00401272
0x0040544e
0x00000000
0x0040540e
0x0040540e
0x0040540e
0x0040540e
0x00405419

Memory Dump Source

Source File: 00000000.00000002.203275067.0000000000405000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203261753.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203265298.0000000000401000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.203270567.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.203278886.0000000000406000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pdfmain.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e383cdebf30ecb6652499756ccfd89d113cdc206a92ca57ba1706d5f2863a446
Instruction ID: 06a05164c097536a8539a29ee581f8ff35965b20446a8b76aab67a3fd0ff822c
Opcode Fuzzy Hash: e383cdebf30ecb6652499756ccfd89d113cdc206a92ca57ba1706d5f2863a446
Instruction Fuzzy Hash: B2513671610A124BD72059789C807E77B94EB42336B58073AC5E5E73C6E7BC58468F68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report pdfmain.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: pdfmain.exe PID: 1744 Parent PID: 5556

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Process Activities

Function 00401023, Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 107
libraryloaderCOMMON

Function 0040116F, Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Function 004053F0, Relevance: 7.7, APIs: 5, Instructions: 163
COMMON