Edit tour

Linux Analysis Report
sample-link.pdf

Overview

General Information

Sample name:	sample-link.pdf
Analysis ID:	1523489
MD5:	72dc5a929aa6b537e7b244313cd03940
SHA1:	06dff1e526b60ee381f6bad27b2386d58f552155
SHA256:	ba4827b1b4f0e5d650c464287f6d55b542296f0acb628fb5575aa97d13990ac1
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false

Signatures

Creates hidden files and/or directories

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523489
Start date and time:	2024-10-01 17:07:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	sample-link.pdf
Detection:	CLEAN
Classification:	clean2.linPDF@0/2@0/0
Cookbook Comments:	Internet access has been disabled

Warnings

VT rate limit hit for: sample-link.pdf

Runtime Messages

Command:	sudo -u james xdg-open "/tmp/sample-link.pdf"
PID:	4720
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu1

exo-open (PID: 4790, Parent: 4730, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/sample-link.pdf

exo-open New Fork (PID: 4798, Parent: 4790)

dbus-launch (PID: 4798, Parent: 4790, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

exo-open New Fork (PID: 4815, Parent: 4790)

exo-open New Fork (PID: 4816, Parent: 4815)

evince (PID: 4816, Parent: 1656, MD5: 2e95d2551823570fd40ffe589f9208f1) Arguments: evince /tmp/sample-link.pdf

evince New Fork (PID: 4833, Parent: 4816)

dbus-launch (PID: 4833, Parent: 4816, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: recently-used.xbel.IDNSU2.38.dr	String found in binary or memory: http://freedesktop.org
Source: sample-link.pdf	String found in binary or memory: http://www.antennahouse.com/purchase.htm)
Source: recently-used.xbel.IDNSU2.38.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.IDNSU2.38.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info

Source: recently-used.xbel.IDNSU2.38.dr

OLE indicator, VBA macros: true

Source: recently-used.xbel.IDNSU2.38.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: clean2.linPDF@0/2@0/0

Source: /usr/bin/exo-open (PID: 4790)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/exo-open (PID: 4790)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4798)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xdefaults-ubuntu	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4833)	Directory: /home/james/.Xauthority	Jump to behavior

Source: /usr/bin/exo-open (PID: 4790)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4798)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4833)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sample-link.pdf	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.freedesktop.org/standards/desktop-bookmarks	recently-used.xbel.IDNSU2.38.dr	false	unknown
http://www.freedesktop.org/standards/shared-mime-info	recently-used.xbel.IDNSU2.38.dr	false	unknown
http://freedesktop.org	recently-used.xbel.IDNSU2.38.dr	false	unknown
http://www.antennahouse.com/purchase.htm)	sample-link.pdf	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/james/.cache/dconf/user

Download File

Process:	/usr/bin/evince
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.

/home/james/.local/share/recently-used.xbel.IDNSU2

Download File

Process:	/usr/bin/evince
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	711
Entropy (8bit):	5.062933516355966
Encrypted:	false
SSDEEP:	12:TMHdE2J9kLS3ROBQkLSjE79/fZM5dAJtnLRVHZlEweKwxh9XyB/ZtwR+we7x+0Zb:2dEm3RJVjW/fZMUJtVV5Kh9CB/ZAEdZb
MD5:	E7C79D8D1F378F9AF969CF05A9A2A27E
SHA1:	CBA2CC800DE65F958BE1AF83CFCCAAE0B03C93D8
SHA-256:	D7CDDF2A99230515030E8621433830844AD38C371746DC5B0609C2F6C0F3A508
SHA-512:	C8BBE261FEFB1638AD676B94655D0E2BF39FB58111FB65DEA2F4F5F989DEF0798BBDF93A743685757748681212F17789E938372069E81B97CBF786F6BDBBCC1E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<xbel version="1.0". xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks". xmlns:mime="http://www.freedesktop.org/standards/shared-mime-info".>. <bookmark href="file:///tmp/sample-link.pdf" added="2024-10-01T15:08:28Z" modified="2024-10-01T15:08:28Z" visited="2024-10-01T15:08:28.755360Z">. <info>. <metadata owner="http://freedesktop.org">. <mime:mime-type type="application/pdf"/>. <bookmark:applications>. <bookmark:application name="Document Viewer" exec="'evince %u'" modified="2024-10-01T15:08:28Z" count="1"/>. </bookmark:applications>. </metadata>. </info>. </bookmark>.</xbel>

Static File Info

General

File type:	PDF document, version 1.4, 2 pages
Entropy (8bit):	7.318160883880346
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	sample-link.pdf
File size:	12'341 bytes
MD5:	72dc5a929aa6b537e7b244313cd03940
SHA1:	06dff1e526b60ee381f6bad27b2386d58f552155
SHA256:	ba4827b1b4f0e5d650c464287f6d55b542296f0acb628fb5575aa97d13990ac1
SHA512:	225f28da7e3f08e2bba3dff2469fb2d8e84f4b9ad75054cfb689cfd37b96346b47b4070695cf1315dd861a41b2a7724d0065c6bd78706dcdcb2712791ba22cf6
SSDEEP:	192:7Xs/XMBhs4I6tNwKUFpmbX1Y89RSDPGWV5jQHObHhv0Duag3:78/XT6bl00FpyDOWVeObBMzg3
TLSH:	FF425C15F8E4A84CFC03C67A8E393658931EB23336E97CD51C6D0D0BE5949A4ED03A97
File Content Preview:	%PDF-1.4.%......7 0 obj.5350.endobj.5 0 obj.<</Type /XObject./Subtype /Image./Width 170./Height 35./Filter /DCTDecode/BitsPerComponent 8./ColorSpace /DeviceRGB /SMask 6 0 R /Length 7 0 R.>>.stream.......JFIF.............C..................................

Static PDF Info

General
Header:	%PDF-1.4
Total Entropy:	7.318161
Total Bytes:	12341
Stream Entropy:	7.936486
Stream Bytes:	7181
Entropy outside Streams:	4.982683
Bytes outside Streams:	5160
Number of EOF found:	1
Bytes after EOF:

Keywords Statistics

Name	Count
obj	27
endobj	27
stream	4
endstream	4
xref	1
trailer	1
startxref	1
/Page	2
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Image Streams

ID	DHASH	MD5	Preview
5	f5c5e558592aa5ac	843dd9245f85a3b4e69647cbf7fecd73
6	0000000000000000	bce3a71827deffee7e985b31c1dfeb15

Network Behavior

⊘No network behavior found

System Behavior

Analysis Process: exo-open PID: 4790, Parent PID: 4730

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open /tmp/sample-link.pdf
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4798, Parent PID: 4790

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: dbus-launch PID: 4798, Parent PID: 4790

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Chronological Activities

Analysis Process: exo-open PID: 4815, Parent PID: 4790

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4816, Parent PID: 4815

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: evince PID: 4816, Parent PID: 1656

General

Start time (UTC):	15:08:27
Start date (UTC):	01/10/2024
Path:	/usr/bin/evince
Arguments:	evince /tmp/sample-link.pdf
File size:	16912 bytes
MD5 hash:	2e95d2551823570fd40ffe589f9208f1

Chronological Activities

Analysis Process: evince PID: 4833, Parent PID: 4816

General

Start time (UTC):	15:08:28
Start date (UTC):	01/10/2024
Path:	/usr/bin/evince
Arguments:	-
File size:	16912 bytes
MD5 hash:	2e95d2551823570fd40ffe589f9208f1

Chronological Activities

Analysis Process: dbus-launch PID: 4833, Parent PID: 4816

General

Start time (UTC):	15:08:28
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report sample-link.pdf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/james/.cache/dconf/user

/home/james/.local/share/recently-used.xbel.IDNSU2

Static File Info

General

Static PDF Info

General

Keywords Statistics

Image Streams

Network Behavior

System Behavior

Analysis Process: exo-open PID: 4790, Parent PID: 4730

General

Chronological Activities

Analysis Process: exo-open PID: 4798, Parent PID: 4790

General

Chronological Activities

Analysis Process: dbus-launch PID: 4798, Parent PID: 4790

General

Chronological Activities

Analysis Process: exo-open PID: 4815, Parent PID: 4790

General

Chronological Activities

Analysis Process: exo-open PID: 4816, Parent PID: 4815

General

Chronological Activities

Analysis Process: evince PID: 4816, Parent PID: 1656

General

Chronological Activities

Analysis Process: evince PID: 4833, Parent PID: 4816

General

Chronological Activities

Analysis Process: dbus-launch PID: 4833, Parent PID: 4816

General

Chronological Activities

Linux Analysis Report
sample-link.pdf