Windows Analysis Report
NEEmRGwBAG.pdf

Overview

General Information

Sample name: NEEmRGwBAG.pdf
renamed because original name is a hash value
Original sample name: 25cc9eab5abb14695ee27a8c990921121b86de002ce7fd199ad32f14e915099b.pdf
Analysis ID: 1543757
MD5: ab5bd55bca3e5b93e184148531714c33
SHA1: ee5242b10bfcb2d99cde579654bfa251e8f63b9a
SHA256: 25cc9eab5abb14695ee27a8c990921121b86de002ce7fd199ad32f14e915099b
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

AI detected landing page (webpage, office document or email)
HTML page contains hidden javascript code
IP address seen in connection with other malware
Stores files to the Windows start menu directory
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

HTML page contains hidden javascript code
Source: https://app.blaze.cx/link?li=671ee3647dc00d7a53f3bb9c&c=7e9547&sk=7bdfe5d198 HTTP Parser: Base64 decoded: <?xml version="1.0" encoding="UTF-8" standalone="no"?><svg width="9px" height="29px" viewBox="0 0 9 29" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <!-- Generator: Sketch 39 (31667) - http://www.bohemi...
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)
Source: https://app.blaze.cx/static/js/12.705c50ea.chunk.js HTTP Parser: /*! for license information please see 12.705c50ea.chunk.js.license.txt */(this.webpackjsonpblaze=this.webpackjsonpblaze||[]).push([[12],[function(e,t,n){"use strict";n.d(t,"a",(function(){return u}));var r=n(1),i=n.n(r),a={color:void 0,size:void 0,classname:void 0,style:void 0,attr:void 0},o=i.a.createcontext&&i.a.createcontext(a),s=function(){return s=object.assign||function(e){for(var t,n=1,r=arguments.length;n<r;n++)for(var i in t=arguments[n])object.prototype.hasownproperty.call(t,i)&&(e[i]=t[i]);return e},s.apply(this,arguments)},c=function(e,t){var n={};for(var r in e)object.prototype.hasownproperty.call(e,r)&&t.indexof(r)<0&&(n[r]=e[r]);if(null!=e&&"function"==typeof object.getownpropertysymbols){var i=0;for(r=object.getownpropertysymbols(e);i<r.length;i++)t.indexof(r[i])<0&&object.prototype.propertyisenumerable.call(e,r[i])&&(n[r[i]]=e[r[i]])}return n};function l(e){return e&&e.map((function(e,t){return i.a.createelement(e.tag,s({key:t},e.attr),l(e.child))}))}function u(e){return function(t){return ...
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 172.67.184.158 172.67.184.158
Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.2.dr String found in binary or memory: http://x1.i.lencr.org/
Source: NEEmRGwBAG.pdf String found in binary or memory: https://app.blaze.cx/link?li=671ee3647dc00d7a53f3bb9c&c=7e9547&sk=7bdfe5d198)
Source: chromecache_211.9.dr String found in binary or memory: https://blazestorage1eufrancec.blob.core.windows.net/blazepublic/1cb4dd7d7be8f6e5ccd117624a0b80cc809
Source: chromecache_211.9.dr String found in binary or memory: https://blazestorage1eufrancec.blob.core.windows.net/blazepublic/26f214803e9cdbc311c5982084e9e2ec679
Source: chromecache_211.9.dr String found in binary or memory: https://blazestorage1eufrancec.blob.core.windows.net/blazepublic/359e69e0f5284bcbabe29684a6cbed5b21f
Source: chromecache_247.9.dr String found in binary or memory: https://fonts.cdnfonts.com/css/clash-display);
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplayBold.woff)
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplayExtralight.woff)
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplayLight.woff)
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplayMedium.woff)
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplayRegular.woff)
Source: chromecache_223.9.dr String found in binary or memory: https://fonts.cdnfonts.com/s/65008/ClashDisplaySemibold.woff)
Source: chromecache_224.9.dr, chromecache_238.9.dr String found in binary or memory: https://github.com/oftn/core-estimator/blob/master/core-estimator.js
Source: chromecache_247.9.dr String found in binary or memory: https://www.fontshare.com/fonts/clash-grotesk
Source: classification engine Classification label: sus22.winPDF@38/130@0/6
Source: NEEmRGwBAG.pdf Initial sample: https://app.blaze.cx/link?li=671ee3647dc00d7a53f3bb9c&c=7e9547&sk=7bdfe5d198
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5532 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 06-43-53-007.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\NEEmRGwBAG.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1676,i,11425198669066236123,16450259438300404404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://app.blaze.cx/link?li=671ee3647dc00d7a53f3bb9c&c=7e9547&sk=7bdfe5d198"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2116,i,15328674476385843745,1406063215858999797,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1676,i,11425198669066236123,16450259438300404404,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2116,i,15328674476385843745,1406063215858999797,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Google Drive.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.8.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: NEEmRGwBAG.pdf Initial sample: PDF keyword /JS count = 0
Source: NEEmRGwBAG.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: NEEmRGwBAG.pdf Initial sample: PDF keyword /EmbeddedFile count = 0

Persistence and Installation Behavior
barindex
AI detected landing page (webpage, office document or email)
Source: PDF document LLM: Page contains button: 'VIEW LONG OVERDUE STATEMENT' Source: 'PDF document'
Source: PDF document LLM: PDF document contains prominent button: 'view long overdue statement'
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543757 Sample: NEEmRGwBAG.pdf Startdate: 28/10/2024 Architecture: WINDOWS Score: 22 27 AI detected landing page (webpage, office document or email) 2->27 7 chrome.exe 9 2->7         started        10 Acrobat.exe 20 73 2->10         started        process3 dnsIp4 19 239.255.255.250 unknown Reserved 7->19 12 chrome.exe 7->12         started        15 AcroCEF.exe 107 10->15         started        process5 dnsIp6 21 91.107.202.212 HETZNER-ASDE Germany 12->21 23 142.250.185.164 GOOGLEUS United States 12->23 25 3 other IPs or domains 12->25 17 AcroCEF.exe 2 15->17         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.107.202.212
 unknown Germany
24940 HETZNER-ASDE false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
167.235.20.246
 unknown United States
3525 ALBERTSONSUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.164
 unknown United States
15169 GOOGLEUS false
172.67.184.158
 unknown United States
13335 CLOUDFLARENETUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://app.blaze.cx/link?li=671ee3647dc00d7a53f3bb9c&c=7e9547&sk=7bdfe5d198 false
    		unknown