Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2021, 10:55 p.m.	Aug. 9, 2021, 10:57 p.m.

Size	203.2KB
Type	PDF document, version 1.6
MD5	`70294ac8b61bfb936334bcb6e6e8cc50`
SHA256	`512ad244c58064dfe102f27c9ec8814f3e3720593fe1e3ed48a8cb385d52ff84`
CRC32	`E33615E0`
ssdeep	`3072:xMLZB6xP2cQ8mUjIgBPsP5TUYdFTCrQlGvwJpKz9z7PDHUx2p:KLbGPQ8DZkPDFTCEl7s9z7PbB`
Yara	PDF_Javascript_ShellCode - PDF Javascript ShellCode APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1 - Detect encoded Kimsuky shellcode used in fake PDF against South Korea PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\제4기AMP 안내자료.pdf"
2296

Name	Response	Post-Analysis Lookup
acroipm2.adobe.com	CNAME acroipm2.adobe.com.edgesuite.net A 23.203.135.139 A 23.203.135.91 CNAME a122.dscd.akamai.net	23.216.159.131

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.203.135.139	Active	Moloch

No Suricata Alerts

No Suricata TLS

request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip

cmdline

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

parent_process

acrord32.exe

martian_process

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

제4기AMP 안내자료.pdf