ScreenShot
| Created | 2021.08.09 22:01 | Machine | s1_win7_x6402 |
| Filename | 2.pdf | ||
| Type | PDF document, version 2.0 | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AFWQ, Pidief, 0NA104H621, GenericKD, FakePDF, Malware@#1nnwapqfqw1d0, Artemis, FakeDocu, jsexp) | ||
| md5 | de2a8a728f81d44562bfd3e91c95f002 | ||
| sha256 | 7900ca98a6fbed74aa5a393758c43ad7abc9d8c73c3fbab7af93bae681065f4e | ||
| ssdeep | 12288:e9wwBpdbie7g84OTKuBqOX1BNVT5m+YH+JARGEwuxkIOcaj/5vDTWjaOyGj:Xkdz7y2DBJ1dYHoARzTkjcwvDTWOO | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | A potential heapspray has been detected. 767 megabytes was sprayed onto the heap of the AcroRd32.exe process |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Performs some HTTP requests |
| notice | The PDF file contains an attachment |
| notice | The PDF file contains JavaScript code |
| notice | Uses Windows utilities for basic Windows functionality |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | APT_Kimsuky_PDF_Shellcode_Aug_2021_1 | Detect Kimsuky shellcode used in fake PDF against South Korea | binaries (upload) |
| warning | PDF_Javascript_ShellCode | PDF Javascript ShellCode | binaries (upload) |
| notice | PDF_Format_Z | PDF Format | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)