Cuckoo Sandbox

File pastebin-hack-robux-free.pdf

Summary
Download Resubmit sample

Size	59.9KB
Type	PDF document, version 1.4
MD5	`c2b0b4d398eb0f13da401b565ff868db`
SHA1	`99fe45ba4343a833f73216c39e71ab51718c2c4b`
SHA256	`e923df131c22c0874ac61c70b8efb4695bc456e0bac97d550eebe690d5ee89e5`
SHA512	`805f1b7bdf5344c5d9f2c5d9911c9534ea0b869eff81c3e81cb9bfcb9ee1881dcfb849ab95823546b4f157b3c7e3e67205b906971c94585552da5f975afe8d3d`
CRC32	`C405B440`
ssdeep	`None`
Yara	vmdetect - Possibly employs anti-virtualization techniques invalid_trailer_structure - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Dec. 14, 2023, 6:38 a.m.	Dec. 14, 2023, 6:39 a.m.	92 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2023-12-14 05:37:57,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpdrdvpd
2023-12-14 05:37:57,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\ZUqFTrGGBqURVtEMmLTFd
2023-12-14 05:37:57,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\DzVybjKLvucxpOHGbIwrWsQ
2023-12-14 05:37:57,203 [analyzer] DEBUG: Started auxiliary module Curtain
2023-12-14 05:37:57,203 [analyzer] DEBUG: Started auxiliary module DbgView
2023-12-14 05:37:57,733 [analyzer] DEBUG: Started auxiliary module Disguise
2023-12-14 05:37:57,937 [analyzer] DEBUG: Loaded monitor into process with pid 508
2023-12-14 05:37:57,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2023-12-14 05:37:57,937 [analyzer] DEBUG: Started auxiliary module Human
2023-12-14 05:37:57,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2023-12-14 05:37:57,937 [analyzer] DEBUG: Started auxiliary module Reboot
2023-12-14 05:37:58,000 [analyzer] DEBUG: Started auxiliary module RecentFiles
2023-12-14 05:37:58,000 [analyzer] DEBUG: Started auxiliary module Screenshots
2023-12-14 05:37:58,000 [analyzer] DEBUG: Started auxiliary module Sysmon
2023-12-14 05:37:58,000 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2023-12-14 05:37:58,108 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pastebin-hack-robux-free.pdf'] and pid 1140
2023-12-14 05:37:58,265 [analyzer] DEBUG: Loaded monitor into process with pid 1140
2023-12-14 05:37:59,500 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
2023-12-14 05:37:59,655 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
2023-12-14 05:37:59,671 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
2023-12-14 05:37:59,687 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Local\Adobe\Color\ACECache10.lst
2023-12-14 05:38:02,405 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
2023-12-14 05:38:02,421 [analyzer] INFO: Added new file to list with pid 1140 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
2023-12-14 05:38:57,108 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2023-12-14 05:38:57,421 [analyzer] INFO: Terminating remaining processes before shutdown.
2023-12-14 05:38:57,421 [lib.api.process] INFO: Successfully terminated process with pid 1140.
2023-12-14 05:38:57,453 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\roaming\\adobe\\acrobat\\9.0\\shareddataevents-journal' does not exist, skip.
2023-12-14 05:38:57,453 [analyzer] INFO: Analysis completed.

Cuckoo Log

2023-12-14 06:38:07,265 [cuckoo.core.scheduler] INFO: Task #4441312: acquired machine win7x6412 (label=win7x6412)
2023-12-14 06:38:07,265 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.212 for task #4441312
2023-12-14 06:38:07,422 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1293070 (interface=vboxnet0, host=192.168.168.212)
2023-12-14 06:38:07,615 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6412
2023-12-14 06:38:08,104 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6412 to vmcloak
2023-12-14 06:38:20,889 [cuckoo.core.guest] INFO: Starting analysis #4441312 on guest (id=win7x6412, ip=192.168.168.212)
2023-12-14 06:38:21,894 [cuckoo.core.guest] DEBUG: win7x6412: not ready yet
2023-12-14 06:38:26,924 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6412, ip=192.168.168.212)
2023-12-14 06:38:26,972 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6412, ip=192.168.168.212, monitor=latest, size=6659295)
2023-12-14 06:38:27,930 [cuckoo.core.resultserver] DEBUG: Task #4441312: live log analysis.log initialized.
2023-12-14 06:38:28,808 [cuckoo.core.resultserver] DEBUG: Task #4441312 is sending a BSON stream
2023-12-14 06:38:29,136 [cuckoo.core.resultserver] DEBUG: Task #4441312 is sending a BSON stream
2023-12-14 06:38:30,029 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'shots/0001.jpg'
2023-12-14 06:38:30,041 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 125318
2023-12-14 06:38:31,136 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'shots/0002.jpg'
2023-12-14 06:38:31,147 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 138991
2023-12-14 06:38:32,268 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'shots/0003.jpg'
2023-12-14 06:38:32,279 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 132422
2023-12-14 06:38:39,461 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'shots/0004.jpg'
2023-12-14 06:38:39,473 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 130591
2023-12-14 06:38:42,724 [cuckoo.core.guest] DEBUG: win7x6412: analysis #4441312 still processing
2023-12-14 06:38:57,826 [cuckoo.core.guest] DEBUG: win7x6412: analysis #4441312 still processing
2023-12-14 06:39:12,898 [cuckoo.core.guest] DEBUG: win7x6412: analysis #4441312 still processing
2023-12-14 06:39:27,978 [cuckoo.core.guest] DEBUG: win7x6412: analysis #4441312 still processing
2023-12-14 06:39:28,235 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'curtain/1702528737.3.curtain.log'
2023-12-14 06:39:28,239 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 36
2023-12-14 06:39:28,336 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'sysmon/1702528737.39.sysmon.xml'
2023-12-14 06:39:28,348 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 788400
2023-12-14 06:39:28,375 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'files/57a1b18473496132_wscrgb.icc'
2023-12-14 06:39:28,383 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 66208
2023-12-14 06:39:28,384 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'files/977a75b22eb6ae12_wsrgb.icc'
2023-12-14 06:39:28,387 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 2676
2023-12-14 06:39:28,388 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'files/f01f36a20e17d8d0_acecache10.lst'
2023-12-14 06:39:28,390 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 1946
2023-12-14 06:39:28,391 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'files/eac8db284af335fd_shareddataevents'
2023-12-14 06:39:28,393 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 3072
2023-12-14 06:39:28,394 [cuckoo.core.resultserver] DEBUG: Task #4441312: File upload for 'files/2cbbfbe12768f624_usercache.bin'
2023-12-14 06:39:28,397 [cuckoo.core.resultserver] DEBUG: Task #4441312 uploaded file length: 69063
2023-12-14 06:39:28,413 [cuckoo.core.resultserver] DEBUG: Task #4441312 had connection reset for <Context for LOG>
2023-12-14 06:39:31,052 [cuckoo.core.guest] INFO: win7x6412: analysis completed successfully
2023-12-14 06:39:31,066 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2023-12-14 06:39:31,117 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2023-12-14 06:39:31,804 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6412 to path /srv/cuckoo/cwd/storage/analyses/4441312/memory.dmp
2023-12-14 06:39:31,806 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6412
2023-12-14 06:39:39,007 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.212 for task #4441312
2023-12-14 06:39:39,133 [cuckoo.core.scheduler] DEBUG: Released database task #4441312
2023-12-14 06:39:39,149 [cuckoo.core.scheduler] INFO: Task #4441312: analysis procedure completed

Signatures

Yara rules detected for file (2 events)

description	Possibly employs anti-virtualization techniques				rule	vmdetect
description	(no description)				rule	invalid_trailer_structure

Raised Snort alerts (1 event)

snort

ET POLICY HTTP Outbound Request contains pw

File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)

G Data Antivirus (Windows)	Virus: PDF.Spam.Heur.4 (Engine A), PDF.Trojan-Stealer.Phish.HY (Engine B)
Avast Core Security (Linux)	PDF:PhishingX-gen [Phish]
F-Secure Antivirus (Linux)	Malware.HTML/Malicious.PDF.Gen [Aquarius]
Forticlient (Linux)	PDF/Phishing.0931!tr
eScan Antivirus (Linux)	PDF.Spam.Heur.4(DB)
ESET Security (Windows)	PDF/Phishing.Agent.OJW trojan
DrWeb Antivirus (Linux)	PDF.Phisher.296
Bitdefender Antivirus (Linux)	PDF.Spam.Heur.4

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

MicroWorld-eScan	PDF.Spam.Heur.4
CAT-QuickHeal	PDF.Phishing.44300
Sangfor	Phishing.Generic-PDF.Save.6ba00801
Cyren	PDF/Rbloxphish.A.gen!Camelot
ESET-NOD32	PDF/Phishing.Agent.OJW
Avast	PDF:PhishingX-gen [Phish]
Cynet	Malicious (score: 99)
BitDefender	PDF.Spam.Heur.4
Rising	Trojan.Phishing/PDF!1.AD81 (CLASSIC)
F-Secure	Malware.HTML/Malicious.PDF.Gen
DrWeb	PDF.Phisher.296
VIPRE	PDF.Spam.Heur.4
McAfee-GW-Edition	BehavesLike.PDF.Suspicious.qb
FireEye	PDF.Spam.Heur.4
Emsisoft	PDF.Spam.Heur.4 (B)
Ikarus	Spammed.PDF.Doc
GData	PDF.Trojan-Stealer.Phish.HY
Avira	HTML/Malicious.PDF.Gen
MAX	malware (ai score=80)
Arcabit	PDF.Spam.Heur.4
Google	Detected
AhnLab-V3	Phishing/PDF.Malurl.gn.S1807
ALYac	PDF.Spam.Heur.4
MaxSecure	Trojan.WIN32.pdf.spam.heur.3
Fortinet	PDF/Phishing.0931!tr
AVG	PDF:PhishingX-gen [Phish]

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File pastebin-hack-robux-free.pdf

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample