Edit tour

Linux Analysis Report
eicarINFECTED.pdf

Overview

General Information

Sample name:	eicarINFECTED.pdf
Analysis ID:	1523490
MD5:	911dd1610034027a924387d42f56bdf0
SHA1:	6ce8d59428b6a646ac5eb440b540e8984ece5b08
SHA256:	4daf4edbb04383b93094e89636f303bb11ab687636a4d40813e930c213c3b513
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Creates hidden files and/or directories

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523490
Start date and time:	2024-10-01 17:13:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	eicarINFECTED.pdf
Detection:	MAL
Classification:	mal52.linPDF@0/2@0/0
Cookbook Comments:	Internet access has been disabled

Warnings

VT rate limit hit for: eicarINFECTED.pdf

Runtime Messages

Command:	sudo -u james xdg-open "/tmp/eicarINFECTED.pdf"
PID:	4724
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	(evince:4816): WARNING : Unimplemented action: POPPLER_ACTION_JAVASCRIPT, please post a bug report in Evince bugzilla (http://bugzilla.gnome.org) with a testcase.

Process Tree

system is lnxubuntu1

exo-open (PID: 4791, Parent: 4731, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open /tmp/eicarINFECTED.pdf

exo-open New Fork (PID: 4799, Parent: 4791)

dbus-launch (PID: 4799, Parent: 4791, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

exo-open New Fork (PID: 4813, Parent: 4791)

exo-open New Fork (PID: 4816, Parent: 4813)

evince (PID: 4816, Parent: 1656, MD5: 2e95d2551823570fd40ffe589f9208f1) Arguments: evince /tmp/eicarINFECTED.pdf

evince New Fork (PID: 4835, Parent: 4816)

dbus-launch (PID: 4835, Parent: 4816, MD5: e4a469f27d130d783c21ce9c1c4456c3) Arguments: dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: eicarINFECTED.pdf

ReversingLabs: Detection: 83%

Machine Learning detection for sample

Source: eicarINFECTED.pdf

Joe Sandbox ML: detected

Source: recently-used.xbel.HYI2U2.38.dr	String found in binary or memory: http://freedesktop.org
Source: recently-used.xbel.HYI2U2.38.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.HYI2U2.38.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info

Source: recently-used.xbel.HYI2U2.38.dr

OLE indicator, VBA macros: true

Source: recently-used.xbel.HYI2U2.38.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal52.linPDF@0/2@0/0

Source: /usr/bin/exo-open (PID: 4791)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/exo-open (PID: 4791)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4799)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xauthority	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.Xdefaults-ubuntu	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Directory: /home/james/.cache	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4835)	Directory: /home/james/.Xauthority	Jump to behavior

Source: submitted sample

Stderr: ** (evince:4816): WARNING **: Unimplemented action: POPPLER_ACTION_JAVASCRIPT, please post a bug report in Evince bugzilla (http://bugzilla.gnome.org) with a testcase.: exit code = 0

Source: /usr/bin/exo-open (PID: 4791)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4799)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/evince (PID: 4816)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 4835)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eicarINFECTED.pdf	83%	ReversingLabs	Document-PDF.Malware.EICAR
eicarINFECTED.pdf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.freedesktop.org/standards/desktop-bookmarks	recently-used.xbel.HYI2U2.38.dr	false	unknown
http://www.freedesktop.org/standards/shared-mime-info	recently-used.xbel.HYI2U2.38.dr	false	unknown
http://freedesktop.org	recently-used.xbel.HYI2U2.38.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/james/.cache/dconf/user

Download File

Process:	/usr/bin/evince
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.

/home/james/.local/share/recently-used.xbel.HYI2U2

Download File

Process:	/usr/bin/evince
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	713
Entropy (8bit):	5.100508496074248
Encrypted:	false
SSDEEP:	12:TMHdE2J9kLS3ROBQkLSjE7GlwBK7YvoJtnLRVHZlEweKwxh9XyB/K/wR+we7x+0l:2dEm3RJVjllwBK7YvoJtVV5Kh9CB/K6M
MD5:	1CE7490D6F9369A3168DD1442905794B
SHA1:	E4543EAFD3238125A002C4F1EC3A9E0A9428D93B
SHA-256:	9D3C52479EE747D7F9E02012E057DF8888DA9E44481B205A5AB9BBD334FD9C54
SHA-512:	707B54FF61D8BAA81EAFE6BC7922D8C67467155BD60DD731748425E199E969D5067D6B430071CEABDB12FF25CF05F3F113E37A1C8B0A5D09700235C350ECFE89
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<xbel version="1.0". xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks". xmlns:mime="http://www.freedesktop.org/standards/shared-mime-info".>. <bookmark href="file:///tmp/eicarINFECTED.pdf" added="2024-10-01T15:14:04Z" modified="2024-10-01T15:14:04Z" visited="2024-10-01T15:14:05.167758Z">. <info>. <metadata owner="http://freedesktop.org">. <mime:mime-type type="application/pdf"/>. <bookmark:applications>. <bookmark:application name="Document Viewer" exec="'evince %u'" modified="2024-10-01T15:14:04Z" count="1"/>. </bookmark:applications>. </metadata>. </info>. </bookmark>.</xbel>

Static File Info

General

File type:	PDF document, version 1.1, 0 pages
Entropy (8bit):	4.984533980743053
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	eicarINFECTED.pdf
File size:	2'061 bytes
MD5:	911dd1610034027a924387d42f56bdf0
SHA1:	6ce8d59428b6a646ac5eb440b540e8984ece5b08
SHA256:	4daf4edbb04383b93094e89636f303bb11ab687636a4d40813e930c213c3b513
SHA512:	8bf9551c4f1c81e7c36f66cb3e04aa3fbfb5f5ce3796f5685dc83719899a46f7380e37256424a37049a9bfa8e77f045c1e0483387873fa2e6baa277d616a8f6b
SSDEEP:	48:ull2naNCsOB2l8ggv1KToW7RO2MJXbRTd2l6vRzToMxZmdKor:uz2naNCsO68yToUYJXbRTd0qToMnoJr
TLSH:	DB41F02AFC5B5DCCD4704F425B18F89AA83CF19235C844C2347CA7036A0CF4E6E8295E
File Content Preview:	%PDF-1.1....1 0 obj..<<.. /Type /Catalog.. /Outlines 2 0 R.. /Pages 3 0 R.. /Names << /EmbeddedFiles << /Names [(EICAR.txt) 9 0 R] >> >>..>>..endobj....2 0 obj..<<.. /Type /Outlines.. /Count 0..>>..endobj....3 0 obj..<<.. /Type /Pages.. /Kids [4 0 R].. /C

Static PDF Info

General
Header:	%PDF-1.1
Total Entropy:	4.984534
Total Bytes:	2061
Stream Entropy:	4.412538
Stream Bytes:	644
Entropy outside Streams:	4.901738
Bytes outside Streams:	1417
Number of EOF found:	1
Bytes after EOF:

Keywords Statistics

Name	Count
obj	10
endobj	10
stream	2
endstream	2
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	0
/JS	1
/JavaScript	1
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	1

Network Behavior

⊘No network behavior found

System Behavior

Analysis Process: exo-open PID: 4791, Parent PID: 4731

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open /tmp/eicarINFECTED.pdf
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4799, Parent PID: 4791

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: dbus-launch PID: 4799, Parent PID: 4791

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Chronological Activities

Analysis Process: exo-open PID: 4813, Parent PID: 4791

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: exo-open PID: 4816, Parent PID: 4813

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	22856 bytes
MD5 hash:	39c5fa78f1cb3d950b9944f784018d3a

Chronological Activities

Analysis Process: evince PID: 4816, Parent PID: 1656

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/evince
Arguments:	evince /tmp/eicarINFECTED.pdf
File size:	416912 bytes
MD5 hash:	2e95d2551823570fd40ffe589f9208f1

Chronological Activities

Analysis Process: evince PID: 4835, Parent PID: 4816

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/evince
Arguments:	-
File size:	416912 bytes
MD5 hash:	2e95d2551823570fd40ffe589f9208f1

Chronological Activities

Analysis Process: dbus-launch PID: 4835, Parent PID: 4816

General

Start time (UTC):	15:14:04
Start date (UTC):	01/10/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=11ced2f07072c6ae389b731c5cc84014 --binary-syntax --close-stderr
File size:	26616 bytes
MD5 hash:	e4a469f27d130d783c21ce9c1c4456c3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report eicarINFECTED.pdf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/james/.cache/dconf/user

/home/james/.local/share/recently-used.xbel.HYI2U2

Static File Info

General

Static PDF Info

General

Keywords Statistics

Network Behavior

System Behavior

Analysis Process: exo-open PID: 4791, Parent PID: 4731

General

Chronological Activities

Analysis Process: exo-open PID: 4799, Parent PID: 4791

General

Chronological Activities

Analysis Process: dbus-launch PID: 4799, Parent PID: 4791

General

Chronological Activities

Analysis Process: exo-open PID: 4813, Parent PID: 4791

General

Chronological Activities

Analysis Process: exo-open PID: 4816, Parent PID: 4813

General

Chronological Activities

Analysis Process: evince PID: 4816, Parent PID: 1656

General

Chronological Activities

Analysis Process: evince PID: 4835, Parent PID: 4816

General

Chronological Activities

Analysis Process: dbus-launch PID: 4835, Parent PID: 4816

General

Chronological Activities

Linux Analysis Report
eicarINFECTED.pdf