Edit tour

Linux Analysis Report
131350528.pdf

Overview

General Information

Sample name:	131350528.pdf
Analysis ID:	1562126
MD5:	0f9fd8e0a5053509bddd66b2947a2576
SHA1:	c611ab1e22a0877c776e74cfd2bb0936a23bca1a
SHA256:	cede25c03d9edaaf64adeb65e023bdce37b502883948600b80ce6e009f0c2d92
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false

Signatures

Creates hidden files and/or directories

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Executes the "rm" command used to delete files or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562126
Start date and time:	2024-11-25 08:36:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	131350528.pdf
Detection:	CLEAN
Classification:	clean2.linPDF@0/2@0/0

Warnings

VT rate limit hit for: 131350528.pdf

Runtime Messages

Command:	sudo -u saturnino xdg-open "/tmp/131350528.pdf"
PID:	6250
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

exo-open (PID: 6266, Parent: 6251, MD5: 60a307a6a6325e2034eb5cc56bff1abd) Arguments: exo-open /tmp/131350528.pdf

exo-open New Fork (PID: 6268, Parent: 6266)

dbus-launch (PID: 6268, Parent: 6266, MD5: 0b22a45154a51c6121bb1d208d8ab203) Arguments: dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr

exo-open New Fork (PID: 6270, Parent: 6266)

exo-open New Fork (PID: 6271, Parent: 6270)

sh (PID: 6271, Parent: 1860, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh evince /tmp/131350528.pdf

evince (PID: 6271, Parent: 1860, MD5: 3b2e161f515da97cbd986ec82e935859) Arguments: evince /tmp/131350528.pdf

evince New Fork (PID: 6274, Parent: 6271)

dbus-launch (PID: 6274, Parent: 6271, MD5: 0b22a45154a51c6121bb1d208d8ab203) Arguments: dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr

dash New Fork (PID: 6227, Parent: 4332)

rm (PID: 6227, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz

dash New Fork (PID: 6228, Parent: 4332)

rm (PID: 6228, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://freedesktop.org
Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: recently-used.xbel.JJN4X2.45.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: recently-used.xbel.JJN4X2.45.dr

OLE indicator, VBA macros: true

Source: recently-used.xbel.JJN4X2.45.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: clean2.linPDF@0/2@0/0

Source: /usr/bin/exo-open (PID: 6266)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/exo-open (PID: 6266)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/local/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.local/share/fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cMap/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/type1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/Type1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/encodings/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/misc/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/util/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-cns1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-gb1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-japan1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-japan2/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/cmap/adobe-korea1/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/mathjax/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/noto/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/opentype/urw-base35/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Gargi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Gubbi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Nakula/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Navilu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Sahadeva/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/Sarai/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/abyssinica/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ancient-scripts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/dejavu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/droid/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/freefont/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/kacst/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/kacst-one/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lao/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lato/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/liberation/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/liberation2/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-assamese/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-bengali/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-kannada/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-oriya/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-tamil/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/lohit-telugu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/malayalam/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/noto/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/openoffice/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/padauk/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/pagul/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/samyak/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/samyak-fonts/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/sinhala/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/tibetan-machine/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/tlwg/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/truetype/ubuntu/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/type1/urw-base35/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /usr/share/fonts/X11/encodings/large/.uuid	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Directory: /home/saturnino/.cache	Jump to behavior

Source: /usr/bin/dash (PID: 6227)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz			Jump to behavior
Source: /usr/bin/dash (PID: 6228)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz			Jump to behavior

Source: /usr/bin/exo-open (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6268)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/evince (PID: 6271)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6274)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
131350528.pdf	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.freedesktop.org/standards/desktop-bookmarks	recently-used.xbel.JJN4X2.45.dr	false	high
http://www.freedesktop.org/standards/shared-mime-info	recently-used.xbel.JJN4X2.45.dr	false	high
http://freedesktop.org	recently-used.xbel.JJN4X2.45.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	wheiuwa4.elf	Get hash	malicious	Unknown	Browse
	wheiuwa4.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	hidakibest.arm4.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	main_ppc.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	vqsjh4.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse
91.189.91.42	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	Mozi.a.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	vqsjh4.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	pXdN91.armv4l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	Mozi.a.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vkjqpc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	pXdN91.armv4l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	Mozi.a.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vkjqpc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AMAZON-02US	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.171.230.55
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.171.230.55
	file (1).txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
	startup.txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
	run.txt.bat	Get hash	malicious	Unknown	Browse	18.181.154.24
	9758xBqgE1azKnB.exe	Get hash	malicious	XWorm	Browse	18.181.154.24
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.239.168.24
	file.exe	Get hash	malicious	Credential Flusher	Browse	108.158.75.108
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	3.167.152.14
	https://clever-photos-686127.framer.app/	Get hash	malicious	Unknown	Browse	108.158.75.21
INIT7CH	pXdN91.armv5l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	pXdN91.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	Mozi.a.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	vkjqpc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/home/saturnino/.cache/dconf/user

Download File

Process:	/usr/bin/evince
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.

/home/saturnino/.local/share/recently-used.xbel.JJN4X2

Download File

Process:	/usr/bin/evince
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	702
Entropy (8bit):	5.11120528597766
Encrypted:	false
SSDEEP:	12:TMHdE2J9kLS3ROBQkLSjE7vfCFTbjpmJtnLRVHZlEweKwxh9XyB/bxwR+we7x+0l:2dEm3RJVjAaV4JtVV5Kh9CB/gEdZb
MD5:	853FBB65F3C6D0FF1234FB4987EF9BD3
SHA1:	08BB1351438A87EAF214F55E144FD62659557E08
SHA-256:	A5F92B95D44D994021CDBE2920C21FD2D1E7FD259F75ECCE7AE3715DE1C8E4A7
SHA-512:	AF55BD7A320BE02153B61A0DC49F1558A892DD5CFD8216C6F1B27377BD7703117396587E8845EE321CA2D0A4491868EEB2AC0B5FB43858E20BDAA70477CA21EA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<xbel version="1.0". xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks". xmlns:mime="http://www.freedesktop.org/standards/shared-mime-info".>. <bookmark href="file:///tmp/131350528.pdf" added="2024-11-25T07:36:54Z" modified="2024-11-25T07:36:54Z" visited="1969-12-31T23:59:59Z">. <info>. <metadata owner="http://freedesktop.org">. <mime:mime-type type="application/pdf"/>. <bookmark:applications>. <bookmark:application name="Document Viewer" exec="'evince %u'" modified="2024-11-25T07:36:54Z" count="1"/>. </bookmark:applications>. </metadata>. </info>. </bookmark>.</xbel>

Static File Info

General

File type:	PDF document, version 1.7 (zip deflate encoded)
Entropy (8bit):	7.966571972716478
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	131350528.pdf
File size:	392'735 bytes
MD5:	0f9fd8e0a5053509bddd66b2947a2576
SHA1:	c611ab1e22a0877c776e74cfd2bb0936a23bca1a
SHA256:	cede25c03d9edaaf64adeb65e023bdce37b502883948600b80ce6e009f0c2d92
SHA512:	6fc2076c3c42562677bae4be4fe78f37bd87b934d909af843bc68c66dbb410c008a792e7eea8c1110a68b974ee49bbebd8ca44307afe7dc41c7670a0e2aeb554
SSDEEP:	6144:TD7ik1xrAYTHXQDYfNb9Y3CKqat+SLUU9hJ8vx9c/QhhcL+QBcddHzUlBpNJpM:T/L/TEDPSKqat9LTqM4hCmd2TJpM
TLSH:	6484235F0256CC67C09F5C7456BDB24BBAD384B21887A1663B0C894BD70CFA3789EA17
File Content Preview:	%PDF-1.7.%......25 0 obj.<</Linearized 1/L 392736/O 27/E 153207/N 2/T 392383/H [ 516 239]>>.endobj. ..49 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<8BA3753F03F9355DF7D0AF23264481D9><D0CF8C85E5D52B44A5C08F0955CE2CC

Static PDF Info

General
Header:	%PDF-1.7
Total Entropy:	7.966572
Total Bytes:	392735
Stream Entropy:	7.972481
Stream Bytes:	385823
Entropy outside Streams:	5.335201
Bytes outside Streams:	6912
Number of EOF found:	2
Bytes after EOF:

Keywords Statistics

Name	Count
obj	44
endobj	44
stream	40
endstream	40
xref	0
trailer	0
startxref	2
/Page	2
/Encrypt	0
/ObjStm	6
/URI	0
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Image Streams

ID	DHASH	MD5
39	0000000000000000	88faecb1ced8d491f8e4c8e931f4c02e
3	207070c8d3a440d0	b4987d174d53427f04e0170e61d4784a
4	627170c8d3a440d4	ed6b7f445a5a494fee411ea3bff3311c
6	a9a8c4e868e1e448	8f294d884d24c67d14a566d2d348d737
7	a9acc4ec78e3e440	490e770140a223e29248af362f1a358c

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:36:47.117336035 CET	443	33606	54.171.230.55	192.168.2.23
Nov 25, 2024 08:36:47.117654085 CET	33606	443	192.168.2.23	54.171.230.55
Nov 25, 2024 08:36:47.237145901 CET	443	33606	54.171.230.55	192.168.2.23
Nov 25, 2024 08:36:47.833228111 CET	43928	443	192.168.2.23	91.189.91.42
Nov 25, 2024 08:36:53.460444927 CET	42836	443	192.168.2.23	91.189.91.43
Nov 25, 2024 08:36:54.740293026 CET	42516	80	192.168.2.23	109.202.202.202
Nov 25, 2024 08:37:08.306536913 CET	43928	443	192.168.2.23	91.189.91.42
Nov 25, 2024 08:37:20.592958927 CET	42836	443	192.168.2.23	91.189.91.43
Nov 25, 2024 08:37:24.688365936 CET	42516	80	192.168.2.23	109.202.202.202
Nov 25, 2024 08:37:49.260907888 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: exo-open PID: 6266, Parent PID: 6251

General

Start time (UTC):	07:36:48
Start date (UTC):	25/11/2024
Path:	/usr/bin/exo-open
Arguments:	exo-open /tmp/131350528.pdf
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Chronological Activities

Analysis Process: exo-open PID: 6268, Parent PID: 6266

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Chronological Activities

Analysis Process: dbus-launch PID: 6268, Parent PID: 6266

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr
File size:	34960 bytes
MD5 hash:	0b22a45154a51c6121bb1d208d8ab203

Chronological Activities

Analysis Process: exo-open PID: 6270, Parent PID: 6266

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Chronological Activities

Analysis Process: exo-open PID: 6271, Parent PID: 6270

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/usr/bin/exo-open
Arguments:	-
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Chronological Activities

Analysis Process: sh PID: 6271, Parent PID: 1860

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh evince /tmp/131350528.pdf
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: evince PID: 6271, Parent PID: 1860

General

Start time (UTC):	07:36:49
Start date (UTC):	25/11/2024
Path:	/usr/bin/evince
Arguments:	evince /tmp/131350528.pdf
File size:	482984 bytes
MD5 hash:	3b2e161f515da97cbd986ec82e935859

Chronological Activities

Analysis Process: evince PID: 6274, Parent PID: 6271

General

Start time (UTC):	07:36:50
Start date (UTC):	25/11/2024
Path:	/usr/bin/evince
Arguments:	-
File size:	482984 bytes
MD5 hash:	3b2e161f515da97cbd986ec82e935859

Chronological Activities

Analysis Process: dbus-launch PID: 6274, Parent PID: 6271

General

Start time (UTC):	07:36:50
Start date (UTC):	25/11/2024
Path:	/usr/bin/dbus-launch
Arguments:	dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr
File size:	34960 bytes
MD5 hash:	0b22a45154a51c6121bb1d208d8ab203

Chronological Activities

Analysis Process: dash PID: 6227, Parent PID: 4332

General

Start time (UTC):	07:36:46
Start date (UTC):	25/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 4332

General

Start time (UTC):	07:36:46
Start date (UTC):	25/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6228, Parent PID: 4332

General

Start time (UTC):	07:36:46
Start date (UTC):	25/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6228, Parent PID: 4332

General

Start time (UTC):	07:36:46
Start date (UTC):	25/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.XDXaw8psax /tmp/tmp.RIRhJt6zeB /tmp/tmp.qSXKvcdNkz
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 131350528.pdf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/saturnino/.cache/dconf/user

/home/saturnino/.local/share/recently-used.xbel.JJN4X2

Static File Info

General

Static PDF Info

General

Keywords Statistics

Image Streams

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: exo-open PID: 6266, Parent PID: 6251

General

Chronological Activities

Analysis Process: exo-open PID: 6268, Parent PID: 6266

General

Chronological Activities

Analysis Process: dbus-launch PID: 6268, Parent PID: 6266

General

Chronological Activities

Analysis Process: exo-open PID: 6270, Parent PID: 6266

General

Chronological Activities

Analysis Process: exo-open PID: 6271, Parent PID: 6270

General

Chronological Activities

Analysis Process: sh PID: 6271, Parent PID: 1860

General

Chronological Activities

Analysis Process: evince PID: 6271, Parent PID: 1860

General

Chronological Activities

Analysis Process: evince PID: 6274, Parent PID: 6271

Linux Analysis Report
131350528.pdf