Linux Analysis Report
131350528.pdf

Overview

General Information

Sample name:	131350528.pdf
Analysis ID:	1562126
MD5:	0f9fd8e0a5053509bddd66b2947a2576
SHA1:	c611ab1e22a0877c776e74cfd2bb0936a23bca1a
SHA256:	cede25c03d9edaaf64adeb65e023bdce37b502883948600b80ce6e009f0c2d92
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false

Signatures

Creates hidden files and/or directories

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Executes the "rm" command used to delete files or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://freedesktop.org
Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Document contains embedded VBA macros

Source: recently-used.xbel.JJN4X2.45.dr

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: recently-used.xbel.JJN4X2.45.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: clean2.linPDF@0/2@0/0

Creates hidden files and/or directories

Source: /usr/bin/exo-open (PID: 6266)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/exo-open (PID: 6266)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/local/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.local/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cMap/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/type1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/Type1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/encodings/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/misc/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/util/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-cns1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-gb1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-japan1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-japan2/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-korea1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/mathjax/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/noto/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/urw-base35/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Gargi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Gubbi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Nakula/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Navilu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Sahadeva/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Sarai/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/abyssinica/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ancient-scripts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/dejavu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/droid/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/freefont/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/kacst/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/kacst-one/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lao/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lato/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/liberation/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/liberation2/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-assamese/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-bengali/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-kannada/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-oriya/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-tamil/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-telugu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/noto/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/openoffice/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/padauk/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/pagul/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/samyak/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/samyak-fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/sinhala/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/tibetan-machine/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/tlwg/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ubuntu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/type1/urw-base35/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/encodings/large/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.cache	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6227)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz			Jump to behavior
Source: /usr/bin/dash (PID: 6228)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /usr/bin/exo-open (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6268)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6274)	Queries kernel information via 'uname':	Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	1562126
Product:	CloudBasic
Start time:	08:36:03
Start date:	25.11.2024
Sample:	131350528.pdf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	0f9fd8e0a5053509bddd66b2947a2576
SHA1:	c611ab1e22a0877c776e74cfd2bb0936a23bca1a
SHA256:	cede25c03d9edaaf64adeb65e023bdce37b502883948600b80ce6e009f0c2d92
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.cache/dconf/user	very short file (no magic)	93B885ADFE0DA089CDF634904FD59F71	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
/home/saturnino/.local/share/recently-used.xbel.JJN4X2	XML 1.0 document, ASCII text	853FBB65F3C6D0FF1234FB4987EF9BD3	08BB1351438A87EAF214F55E144FD62659557E08	A5F92B95D44D994021CDBE2920C21FD2D1E7FD259F75ECCE7AE3715DE1C8E4A7

Linux Analysis Report
131350528.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report 131350528.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
131350528.pdf