CMACGM_Notice_of_Arrival_OOCL_LUXEMBOURG__0TI28W1MA_4070436758132000.pdf
This report is generated from a file or URL submitted to this webservice on March 14th 2019 21:08:25 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 3
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
- "Monticello" (Indicator: "ntice")
- source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "us8.emptynowavaila_le@cma-_m.cam"
Pattern match: "deliveyarders@cma-_m.cam" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Ransomware/Banking
-
Detected text artifact in screenshot that indicate file could be ransomware
- details
-
"payment," (Source: screen_12.png, Indicator: "payment")
"paymenl" (Source: screen_12.png, Indicator: "payment") - source
- File/Memory
- relevance
- 10/10
-
Detected text artifact in screenshot that indicate file could be ransomware
-
Informative 11
-
Exploit/Shellcode
-
Possible heap spraying attempt detected
- details
- "RdrCEF.exe" issued more than 3000 memory allocations
- source
- API Call
- relevance
- 10/10
-
Possible heap spraying attempt detected
-
General
-
Contains object with compressed stream data
- details
-
Object ID 9 contains compressed stream data: No filters
Object ID 18 contains compressed stream data: No filters
Object ID 23 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo << /Registry (Oracle) /Ordering (UCS) /Supplement 0 >> def
/CMapName /Oracle-Identity-UCS def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
56 begin ...
Object ID 26 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo << /Registry (Oracle) /Ordering (UCS) /Supplement 0 >> def
/CMapName /Oracle-Identity-UCS def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
72 begin ...
Object ID 29 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo << /Registry (Oracle) /Ordering (UCS) /Supplement 0 >> def
/CMapName /Oracle-Identity-UCS def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
33 begin ...
Object ID 32 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo << /Registry (Oracle) /Ordering (UCS) /Supplement 0 >> def
/CMapName /Oracle-Identity-UCS def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
29 begin ...
Object ID 35 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo << /Registry (Oracle) /Ordering (UCS) /Supplement 0 >> def
/CMapName /Oracle-Identity-UCS def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
73 begin ...
Object ID 37 contains compressed stream data: \xff\xff\xff\xfd\xe3\xe4\xfa\xc3\xc5\xf8\xa4\xa8\xf6\x8a\x8e\xf3kp\xf2[a\xf1LR\xef5<\xee$
\xed\x1c$\xee*1\xf5\x86\x8a\xf9\xac\xaf\xfc\xd4\xd5\xf5\x7f\x83\xf1SY\xfc\xdc\xdd\xfb\xce\xd0\xf0<C\xfe\xf5\xf5\xf7\x9d\xa1\xf0BI\xf4rw\xf3ej\xf4x}\xf6\x8d\x91\ ...
Object ID 44 contains compressed stream data: \x00\x01\x00\x00\x00\x00\x80\x00\x03\x00\x10cvt ;\xf2!\xcb\x00\x00\x00\x9c\x00\x00\x05NfpgmT\xbfm6\x00\x00\x05\xec\x00\x00\x05\xceglyfP\\xe4\xc6\x00\x00?\xbc\x00\x00>\xdehead\xc4\xf0\x9a\x1e\x00\x00J\x9a\x00\x00\x006hhea?\x0f\x04\xb2\x00\x00J\xd2\x00\x ...
Object ID 46 contains compressed stream data: \x00\x01\x00\x00\x00\x00\x80\x00\x03\x00\x10cvt \xef\x1f\x94\xcc\x00\x00\x00\x9c\x00\x00\x07:fpgm\x08\xe8\xba(\x00\x00\x07\xd8\x00\x00\x05\xd7glyf\x9d\xe8\x8a\xfc\x00\x00
\xb0\x00\x00R"head\xce\xe2!\xa8\x00\x00_\xd2\x00\x00\x006hhea\x12~?\xbd\x00\x00`
\x0 ..., Object ID 48 contains compressed stream data: \x00\x01\x00\x00\x00\x00\x80\x00\x03\x00\x10cvt \x96*\xd2v\x00\x00\x00\x9c\x00\x00\x060fpgm\xccyY\x9a\x00\x00\x06\xcc\x00\x00\x06nglyf\xcbI\xbd\xcc\x00\x00
<\x00\x00.\xa0head\xce\x98&\x92\x00\x00;\xdc\x00\x00\x006hhea\x123?\x96\x00\x00<\x14\x00\ ..., Object ID 50 contains compressed stream data: \x00\x01\x00\x00\x00\x00\x80\x00\x03\x00\x10cvt M\xfcd\x93\x00\x00\x00\x9c\x00\x00\x06\x9cfpgmI\x9f-G\x00\x00\x078\x00\x00\x05\xfbglyf\x9dS\xfa\x80\x00\x00
4\x00\x00)\x02head\xc5\x13\x96+\x00\x0066\x00\x00\x006hhea?R\x05\x1c\x00\x006n\x00\x00\x00$hmtx\x85 ...
Object ID 52 contains compressed stream data: \x00\x01\x00\x00\x00\x00\x80\x00\x03\x00\x10cvt =R\x1aF\x00\x00\x00\x9c\x00\x00?xfpgm\xab4n\xa4\x00\x00
\x14\x00\x00\x07jglyf\xed\x01\xbc\xbf\x00\x00\x14\x80\x00\x00D\xcehead\xc2Y\xaf\xe5\x00\x00YN\x00\x00\x006hhea\x12\x8e
S\x00\x00Y\x86\x00\x00\x00$hmtx@ ... - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1207 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"Local\Acrobat Instance Mutex"
"DBWinMutex"
"com.adobe.acrobat.rna.RdrCefBrowserLock.DC"
"\Sessions\1\BaseNamedObjects\com.adobe.acrobat.rna.RdrCefBrowserLock.DC" - source
- Created Mutant
- relevance
- 3/10
-
PDF contains no significant text data on the first page(s)
- details
- The input has no visible characters on the first 2 page(s)
- source
- Static Parser
- relevance
- 5/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "Shell_TrayWnd"
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R18"
"AcroRd32.exe" searching for class "JFWUI2" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "RdrCEF.exe" with commandline "--backgroundcolor=16448250" (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=FCA97343919E38A0F4C5F956 ..." (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=7ABF9EB0296B989D78BDA4AB ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains object with compressed stream data
-
Installation/Persistance
-
Creates new processes
- details
-
"AcroRd32.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 712)
"RdrCEF.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 1328)
"RdrCEF.exe" is creating a new process (Name: "%WINDIR%\System32\taskhost.exe", Handle: 1424) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"data_1" has type "data"
"A9Rgy6gso_1ei9t1j_2v8.tmp" has type "data"
"Visited Links" has type "data"
"0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" has type "data"
"A9R4d4m91_1ei9t1i_2v8.tmp" has type "data"
"A9Roc50va_1ei9t1k_2v8.tmp" has type "data"
"CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"RdrCEF.exe" touched file "%WINDIR%\System32\oleaccrc.dll"
"RdrCEF.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"RdrCEF.exe" touched file "%WINDIR%\System32\KBDUS.DLL"
"RdrCEF.exe" touched file "%WINDIR%\System32\drivers\etc\hosts"
"RdrCEF.exe" touched file "%WINDIR%\System32\spool\drivers\color\sRGB Color Space Profile.icm"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arial.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALN.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariali.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbd.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNB.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbi.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNBI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariblk.ttf" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
- Pattern match: "www.cma-cgm.cam"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
CMACGM_Notice_of_Arrival_OOCL_LUXEMBOURG__0TI28W1MA_4070436758132000.pdf
- Filename
- CMACGM_Notice_of_Arrival_OOCL_LUXEMBOURG__0TI28W1MA_4070436758132000.pdf
- Size
- 132KiB (134928 bytes)
- Type
- Description
- PDF document, version 1.4
- Document author
- Oracle Reports
- Document creator
- Oracle11gR1 AS Reports Services
- Document producer
- Oracle PDF driver
- Document title
- CMACGM_Notice_of_Arrival_OOCL_LUXEMBOURG__0TI28W1MA_4070436758132000.pdf
- Document pages
- 2
- Architecture
- WINDOWS
- SHA256
- 5f96ae81c27915de000891893c2021a858e28d6440bcb332c5aa4b31910bcb06
- MD5
- a48a0c2a8b789b95f5f92657c6361141
- SHA1
- 47a1c02521399a1e6abdb774a4af831198688aad
- ssdeep
- 1536:4xFjapG/ujrHZzSn5NCujVtjyr9h3efdYLsCfzaPWdffMGaFe/tyGXoBJfNX9Ev/:4FjXAqtjU9h3e2L0PWdffMte0Tz/hAmk
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
-
AcroRd32.exe
"C:\CMACGM_Notice_of_Arrival_OOCL_LUXEMBOURG__0TI28W1MA_4070436758132000.pdf"
(PID: 3716)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 4060)
- RdrCEF.exe --type=renderer --primordial-pipe-token=FCA97343919E38A0F4C5F9567D95F36B --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=FCA97343919E38A0F4C5F9567D95F36B --renderer-client-id=2 --mojo-platform-channel-handle=1276 --allow-no-sandbox-job /prefetch:1 (PID: 2272)
- RdrCEF.exe --type=renderer --primordial-pipe-token=7ABF9EB0296B989D78BDA4AB702C9366 --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=7ABF9EB0296B989D78BDA4AB702C9366 --renderer-client-id=3 --mojo-platform-channel-handle=1316 --allow-no-sandbox-job /prefetch:1 (PID: 2620)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 4060)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 7
-
-
data_1
- Size
- 264KiB (270336 bytes)
- Type
- data
- Runtime Process
- RdrCEF.exe (PID: 4060)
- MD5
- 35be0640de07c0ace868928bc540b400
- SHA1
- 520141d3e14d75cc346889941a87cc42d669cb78
- SHA256
- 46554a3d30e68c94bdcca899b68e33e712bdf8f7d31417257c1546e0ed7f0042
-
Visited Links
- Size
- 128KiB (131072 bytes)
- Type
- data
- Runtime Process
- RdrCEF.exe (PID: 4060)
- MD5
- e5f299c3100e113c9343e86ed9504a2d
- SHA1
- 7865b3759d1cba84cc165aceb3ceee856f31f6e2
- SHA256
- 9d1c9dc432b2e97f7a54b4da2724e4ff96dc719e60cb89c9f82dbec9226856c3
-
A9R4d4m91_1ei9t1i_2v8.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3716)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9Rgy6gso_1ei9t1j_2v8.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3716)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9Roc50va_1ei9t1k_2v8.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3716)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
- Size
- 637B (637 bytes)
- Type
- data
- MD5
- 974e8536b8767ac5be204f35d16f73e8
- SHA1
- e847897947a3db26e35cb7d490c688e8c410dfb7
- SHA256
- d1bb4b163fe01acc368a92b385bb0bd3a9fc2340b6d485b77a20553a713166d3
-
CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
- Size
- 425B (425 bytes)
- Type
- data
- MD5
- b1783b97d2072e141e12e8911e151704
- SHA1
- e3a9fe0da15be51286f39d6092e9126443669e49
- SHA256
- 9009ab7605c35a2b5121b8b5c966b3c893edba9966925268c45ad05b348671c8
-