Exhibition Gallery.pdf
This report is generated from a file or URL submitted to this webservice on December 6th 2017 15:20:26 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Informative 12
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AC76BA86-7AD7-1031-7B44-AB0000000001}")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AC76BA86-7AD7-1031-7B44-AB0000000001}"; Key: "VERSION"; Value: "0000000004000000040000000900000B") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/61 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses System Certificates Settings
- details
-
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"AcroRd32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\3B1EFD3A66EA28B16697394703A72CA340A05BD5"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\8F43288AD272F3103B6FB1428485EA3014C0BCFE"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CDD4EEAE6000AC7F40C3802C171E30148030C072"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"AcroRd32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\07E032E020B72C3F192F0628A2593A19A70F069E"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Contains object with compressed stream data
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\RasPbFile"
"{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagEJHCLGHGMBLAAAAA"
"Local\WininetConnectionMutex"
"Local\WininetStartupMutex"
"IESQMMUTEX_0_208"
"Local\_!MSFTHISTORY!_"
"Local\Acrobat Instance Mutex"
"DBWinMutex"
"Local\c:!users!ijecp3u!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"RasPbFile"
"Local\WininetProxyRegistryMutex"
"Local\c:!users!ijecp3u!appdata!local!microsoft!windows!history!history.ie5!"
"Local\c:!users!ijecp3u!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ijecp3u!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ijecp3u!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ijecp3u!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex" - source
- Created Mutant
- relevance
- 3/10
-
Opened the service control manager
- details
- "AcroRd32.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
PDF contains no significant text data on the first page(s)
- details
- The input only has "86" visible characters on the first 5 page(s)
- source
- Static Parser
- relevance
- 5/10
-
Requested access to a system service
- details
-
"AcroRd32.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"AcroRd32.exe" called "OpenService" to access the "rasman" service
"AcroRd32.exe" called "OpenService" to access the "RASMAN" service
"AcroRd32.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"AcroRd32.exe" called "OpenService" to access the "gpsvc" service - source
- API Call
- relevance
- 10/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R11"
"AcroRd32.exe" searching for class "JFWUI2" - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"AcroRd32.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"AcroRd32.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Accesses System Certificates Settings
-
Installation/Persistance
-
Dropped files
- details
-
"A9R3A46.tmp" has type "data"
"AdobeFnt14.lst.2844" has type "PostScript document text"
"A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" has type "data"
"A9R3A4D.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R3A4B.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R3A48.tmp" has type "data"
"A9R3A4F.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R3A4C.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"A9R3A47.tmp" has type "data"
"A9R3A49.tmp" has type "data"
"48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" has type "data"
"A9R3A4E.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Heuristic match: "qXf{
w.Pe"
Heuristic match: "y^(7kmHs;.za" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Exhibition Gallery.pdf
- Filename
- Exhibition Gallery.pdf
- Size
- 3.9MiB (4117497 bytes)
- Type
- Description
- PDF document, version 1.7
- Document pages
- 24
- Architecture
- WINDOWS
- SHA256
- 071488ed35d3159d29a376fc4364ebf5849f7ec1f1943ce1081dc37f01d5f749
- MD5
- a183ebe79358e5e028563569baa2a143
- SHA1
- 0b7ab342382b4847fb64a86415cd7ccf2d355078
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- AcroRd32.exe "C:\071488ed35d3159d29a376fc4364ebf5849f7ec1f1943ce1081dc37f01d5f749.pdf" (PID: 2844)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 12 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Informative 12
-
-
AdobeFnt14.lst.2844
- Size
- 8.1KiB (8244 bytes)
- Type
- text
- Description
- PostScript document text
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- eadae9dc454e710e757b1dc756eb31f5
- SHA1
- 1a7a561e6df920d26a9624190e76711ddb74dc79
- SHA256
- b40cca694e17770f427a44c7760ec7f557e0330f9eb864a15204d6c114c288a3
-
A9R3A46.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R3A47.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R3A48.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R3A49.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9R3A4B.tmp
- Size
- 45KiB (46135 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 2844)
- MD5
- 7de4a2e866ed8aefb829cf5e04db261a
- SHA1
- 38a68fded15d2c8950a6b0d855492e5b4ce7ed95
- SHA256
- 70bdea097b02d2cba9f5363f9e986cc5ba57267999374c303a248d01000d713b
-
A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
- Size
- 37KiB (37738 bytes)
- Type
- data
- MD5
- d318b36a715a8f45604431f3095f0b41
- SHA1
- 3da984ce99106ff26d53438e21d49c273fb9e88d
- SHA256
- e4b6aaa2312f828f82889184cf66a8ff977a23f1e3b5e9c4a1cf184a77f8a175
-
A9R3A4D.tmp
- Size
- 38KiB (38445 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- c2be4c74c4d98eac6140acb383f77d0b
- SHA1
- a54e90b58dd2463d913142d4d7ec1d038f249c55
- SHA256
- d1e10ebe9f745f12c7b29f0a7ca27c576c0ba1e37fdcc19563e822c6692a1d68
-
A9R3A4F.tmp
- Size
- 35KiB (35731 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 60fb8491aa4b141264152614c765d450
- SHA1
- c33105a5d6bda4f09bfcd774ade9a62e77e131ee
- SHA256
- 3184ca2a7ef723d242309f3770e6f60ac57e436ee3eb2b434112d0df848e5c60
-
A9R3A4C.tmp
- Size
- 41KiB (41629 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 2270aa3192da68562fdb1e4c468b13df
- SHA1
- 0efdaae1163af1ac0c61c6e5f92714cdbb03e41a
- SHA256
- 5c74fec27dec1d0fe65987b22d85ba7953e118b34ed48ad59a8000e4d3d4f975
-
48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
- Size
- 1KiB (1073 bytes)
- Type
- data
- MD5
- 79fbef0890804ff08ba94288b725b3d7
- SHA1
- adb11af859c87cb7d9e80fa8a6689151f4b5bc2a
- SHA256
- ce091c4f44a76f9d943fb55d71ca8fb7de9e7149609a3d8552f0e7094acd8197
-
A9R3A4E.tmp
- Size
- 80KiB (81944 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- MD5
- 39c9b484f43d03a05d306bc7bcc16654
- SHA1
- 1cb992eaff6228116e55b858f2ed825b09f2f50b
- SHA256
- fa5fdebe80ec0ce7dc40738b4fd46a9e9b36eca6a810c523ee6ef3fd40b4179e
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "static-66" are available in the report