ScreenShot
| Created | 2021.08.09 22:58 | Machine | s1_win7_x6402 |
| Filename | 2.pdf | ||
| Type | PDF document, version 2.0 | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AFWQ, Pidief, 0NA104H621, GenericKD, FakePDF, Malware@#1nnwapqfqw1d0, Artemis, FakeDocu, jsexp) | ||
| md5 | de2a8a728f81d44562bfd3e91c95f002 | ||
| sha256 | 7900ca98a6fbed74aa5a393758c43ad7abc9d8c73c3fbab7af93bae681065f4e | ||
| ssdeep | 12288:e9wwBpdbie7g84OTKuBqOX1BNVT5m+YH+JARGEwuxkIOcaj/5vDTWjaOyGj:Xkdz7y2DBJ1dYHoARzTkjcwvDTWOO | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | A potential heapspray has been detected. 766 megabytes was sprayed onto the heap of the AcroRd32.exe process |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The PDF file contains an attachment |
| notice | The PDF file contains JavaScript code |
| notice | Uses Windows utilities for basic Windows functionality |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | APT_Kimsuky_PDF_Shellcode_Aug_2021_1 | Detect Kimsuky shellcode used in fake PDF against South Korea | binaries (upload) |
| warning | PDF_Javascript_ShellCode | PDF Javascript ShellCode | binaries (upload) |
| notice | PDF_Format_Z | PDF Format | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|