Report - 제4기AMP 안내자료.pdf

Kimsuky Javascript ShellCode PDF

ScreenShot

Info
Location map


Created	2021.08.09 22:59	Machine	s1_win7_x6403
Filename	제4기AMP 안내자료.pdf
Type	PDF document, version 1.6
AI Score	Not founds	Behavior Score	2.2
ZERO API	file : clean
VT API (file)	27 detected (GenericKD, Pidief, 0NA103H621, FakePDF, Malware@#2f67s3zn21jr2, Generic Exploit, PDFEx, nynzr, Malicious, score, FakeDocu)
md5	70294ac8b61bfb936334bcb6e6e8cc50
sha256	512ad244c58064dfe102f27c9ec8814f3e3720593fe1e3ed48a8cb385d52ff84
ssdeep	3072:xMLZB6xP2cQ8mUjIgBPsP5TUYdFTCrQlGvwJpKz9z7PDHUx2p:KLbGPQ8DZkPDFTCEl7s9z7PbB
imphash
impfuzzy

Network IP location

Signature (4cnts)

Level	Description
warning	File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch	One or more non-whitelisted processes were created
notice	Performs some HTTP requests
notice	Uses Windows utilities for basic Windows functionality

Rules (3cnts)

Level	Name	Description	Collection
danger	APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1	Detect encoded Kimsuky shellcode used in fake PDF against South Korea	binaries (upload)
warning	PDF_Javascript_ShellCode	PDF Javascript ShellCode	binaries (upload)
notice	PDF_Format_Z	PDF Format	binaries (upload)

Network (6cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip whois		CCCH-3	23.216.159.131		clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip whois		CCCH-3	23.216.159.131		clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip whois		CCCH-3	23.216.159.131		clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip whois		CCCH-3	23.216.159.131		clean
acroipm2.adobe.com whois		CCCH-3	23.216.159.131		clean
23.203.135.139 whois		GTT Communications Inc.	23.203.135.139		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure