popup

Report - 제4기AMP 안내자료.pdf

Kimsuky Javascript ShellCode PDF
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.09 23:09 Machine s1_win7_x6403
Filename 제4기AMP 안내자료.pdf
Type PDF document, version 1.6
AI Score Not founds Behavior Score
2.2
ZERO API file : clean
VT API (file) 27 detected (GenericKD, Pidief, 0NA103H621, FakePDF, Malware@#2f67s3zn21jr2, Generic Exploit, PDFEx, nynzr, Malicious, score, FakeDocu)
md5 70294ac8b61bfb936334bcb6e6e8cc50
sha256 512ad244c58064dfe102f27c9ec8814f3e3720593fe1e3ed48a8cb385d52ff84
ssdeep 3072:xMLZB6xP2cQ8mUjIgBPsP5TUYdFTCrQlGvwJpKz9z7PDHUx2p:KLbGPQ8DZkPDFTCEl7s9z7PbB
imphash
impfuzzy
  Network IP location

Signature (4cnts)

Level Description
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality

Rules (3cnts)

Level Name Description Collection
danger APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1 Detect encoded Kimsuky shellcode used in fake PDF against South Korea binaries (upload)
warning PDF_Javascript_ShellCode PDF Javascript ShellCode binaries (upload)
notice PDF_Format_Z PDF Format binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
whois
US CCCH-3 23.216.159.131 clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
whois
US CCCH-3 23.216.159.139 clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
whois
US CCCH-3 23.216.159.139 clean
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
whois
US CCCH-3 23.216.159.131 clean

Suricata ids


Similarity measure (PE file only) - Checking for service failure