popup

Report - AL.pdf

PDF Suspicious Link PDF AntiDebug AntiVM MSOffice File PNG Format JPEG Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.11 15:43 Machine s1_win7_x6402
Filename AL.pdf
Type PDF document, version 1.4
AI Score Not founds Behavior Score
3.6
ZERO API file : clean
VT API (file) 7 detected (Qbot, gen12, Artemis, PDFDwn, Detected, Phishing, Malurl, XG38)
md5 2a8d2f23d6dfda4df874b409d503ce39
sha256 bdffc5a72a1180f33e764c0f80b8e30cab36193678cda450be9ac49a5ae7ce80
ssdeep 768:ZqTyfkC+fdckGN6QsF77VYgRVlVF8jbi6kRbCBYEMOfse8azj+Z3jK9s92:ZqefkC0cHNeRbXn8Hi63CT+LzjKjK9C2
imphash
impfuzzy
  Network IP location

Signature (8cnts)

Level Description
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory

Rules (13cnts)

Level Name Description Collection
warning PDF_Suspicious_Link_Z PDF Suspicious Link binaries (upload)
notice PDF_Format_Z PDF Format binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxpsjblnoxgjoqggdsbvujtof4_58/khaoiebndkojlmppeemjhbpbandiljpe_58_win_advr4ucepztwtigvw3fduftsvbeq.crx3
whois
US GOOGLE 34.104.35.123 clean
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/jewvegtcs2qdew3nlzz4kvsjqm_9.44.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.44.0_all_pywouuhjzu3khiqqvvfs2jt53q.crx3
whois
US GOOGLE 34.104.35.123 clean
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/g6v7tvx6ixuzstk5etcqebphhq_7954/hfnkpimlhhgieaddgfemjhofmfblmnib_7954_all_adj2i674lrtcwrqqfhv37vujcaya.crx3
whois
US GOOGLE 34.104.35.123 clean
edgedl.me.gvt1.com
whois
US GOOGLE 34.104.35.123 clean
www.google.com
whois
US GOOGLE 142.250.206.228 clean
www.gstatic.com
whois
US GOOGLE 142.250.206.227 clean
fonts.googleapis.com
whois
US GOOGLE 142.250.207.106 clean
accounts.google.com
whois
US GOOGLE 142.250.206.205 clean
_googlecast._tcp.local
whois
Unknown clean
apis.google.com
whois
US GOOGLE 172.217.161.238 clean
fonts.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
zacuta.com
whois
CA ACP 162.0.217.30 mailcious
clientservices.googleapis.com
whois
US GOOGLE 142.250.207.99 clean
142.250.207.67
whois
US GOOGLE 142.250.207.67 clean
142.251.220.99
whois
US GOOGLE 142.251.220.99 clean
172.217.27.13
whois
US GOOGLE 172.217.27.13 clean
162.0.217.30
whois
CA ACP 162.0.217.30 mailcious
34.104.35.123
whois
US GOOGLE 34.104.35.123 clean
172.217.24.74
whois
US GOOGLE 172.217.24.74 clean
172.217.24.100
whois
US GOOGLE 172.217.24.100 clean
172.217.25.3
whois
US GOOGLE 172.217.25.3 clean
142.250.66.78
whois
US GOOGLE 142.250.66.78 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure