Cuckoo Sandbox

Errors

Failed to run the processing module "MISP" for task #5953941: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 250, in process data = current.run() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/misp.py", line 143, in run self.search_ioc(ioc) File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/misp.py", line 60, in search_ioc event = self.find_event(event_id).get("Event") AttributeError: 'NoneType' object has no attribute 'get'
click to expand / collapse this error

File pdf1.pdf

Summary
Download Resubmit sample

Size	45.3KB
Type	PDF document, version 1.0, 1 pages
MD5	`bc65084128d6585291b01611408c36a7`
SHA1	`695e6962aafa46db9a791d3f68cdb5b64fb3d025`
SHA256	`8fa9773481b3a1305bfbc405539d968278ecf7595858a796bac065db3aa5263a`
SHA512	`07451ae24090ff722d063c7992d949e325f9aeb2177169556c343172a9211c7c2ece05db34aa67a506e115c6c1246d59a6eb84ba9edc65ba18c2cf8711d091fc`
CRC32	`6B6A6455`
ssdeep	`None`
Yara	suspicious_launch_action - (no description) suspicious_embed - (no description) multiple_versions - Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed js_wrong_version - JavaScript was introduced in v1.3 FlateDecode_wrong_version - Flate was introduced in v1.2 embed_wrong_version - EmbeddedFiles were introduced in v1.3 PDF_Embedded_Exe - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Feb. 11, 2025, 9:04 p.m.	Feb. 11, 2025, 9:11 p.m.	418 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-02-11 20:04:26,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpqqrt4a
2025-02-11 20:04:26,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\WWIurVrUOfeQCpBhQP
2025-02-11 20:04:26,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\teWWZAWHyLyHjTWTLYfyxuNXrMFCNW
2025-02-11 20:04:26,280 [analyzer] DEBUG: Started auxiliary module Curtain
2025-02-11 20:04:26,280 [analyzer] DEBUG: Started auxiliary module DbgView
2025-02-11 20:04:26,733 [analyzer] DEBUG: Started auxiliary module Disguise
2025-02-11 20:04:26,937 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-02-11 20:04:26,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-02-11 20:04:26,937 [analyzer] DEBUG: Started auxiliary module Human
2025-02-11 20:04:26,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-02-11 20:04:26,953 [analyzer] DEBUG: Started auxiliary module Reboot
2025-02-11 20:04:27,000 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-02-11 20:04:27,000 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-02-11 20:04:27,000 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-02-11 20:04:27,000 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-02-11 20:04:27,171 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pdf1.pdf'] and pid 2544
2025-02-11 20:04:27,328 [analyzer] DEBUG: Loaded monitor into process with pid 2544
2025-02-11 20:04:28,733 [analyzer] INFO: Added new file to list with pid 2544 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
2025-02-11 20:04:28,967 [analyzer] INFO: Added new file to list with pid 2544 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
2025-02-11 20:04:29,000 [analyzer] INFO: Added new file to list with pid 2544 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
2025-02-11 20:04:29,030 [analyzer] INFO: Added new file to list with pid 2544 and path C:\Users\Administrator\AppData\Local\Adobe\Color\ACECache10.lst
2025-02-11 20:08:33,224 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-02-11 20:08:33,427 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2544.
2025-02-11 20:08:33,802 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-02-11 20:08:33,802 [lib.api.process] INFO: Successfully terminated process with pid 2544.
2025-02-11 20:08:33,834 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-02-11 21:04:36,253 [cuckoo.core.scheduler] INFO: Task #5953941: acquired machine win7x6428 (label=win7x6428)
2025-02-11 21:04:36,254 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.228 for task #5953941
2025-02-11 21:04:36,643 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2791526 (interface=vboxnet0, host=192.168.168.228)
2025-02-11 21:04:36,726 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6428
2025-02-11 21:04:37,493 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6428 to vmcloak
2025-02-11 21:07:55,725 [cuckoo.core.guest] INFO: Starting analysis #5953941 on guest (id=win7x6428, ip=192.168.168.228)
2025-02-11 21:07:56,729 [cuckoo.core.guest] DEBUG: win7x6428: not ready yet
2025-02-11 21:08:01,751 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6428, ip=192.168.168.228)
2025-02-11 21:08:01,835 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6428, ip=192.168.168.228, monitor=latest, size=6660546)
2025-02-11 21:08:03,037 [cuckoo.core.resultserver] DEBUG: Task #5953941: live log analysis.log initialized.
2025-02-11 21:08:03,928 [cuckoo.core.resultserver] DEBUG: Task #5953941 is sending a BSON stream
2025-02-11 21:08:04,318 [cuckoo.core.resultserver] DEBUG: Task #5953941 is sending a BSON stream
2025-02-11 21:08:05,151 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'shots/0001.jpg'
2025-02-11 21:08:05,162 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 125279
2025-02-11 21:08:07,300 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'shots/0002.jpg'
2025-02-11 21:08:07,318 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 137922
2025-02-11 21:08:08,427 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'shots/0003.jpg'
2025-02-11 21:08:08,436 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 82555
2025-02-11 21:08:17,768 [cuckoo.core.guest] DEBUG: win7x6428: analysis #5953941 still processing
2025-02-11 21:08:32,856 [cuckoo.core.guest] DEBUG: win7x6428: analysis #5953941 still processing
2025-02-11 21:08:33,591 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'curtain/1739300913.58.curtain.log'
2025-02-11 21:08:33,594 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 36
2025-02-11 21:08:33,785 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'sysmon/1739300913.77.sysmon.xml'
2025-02-11 21:08:33,802 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 1722626
2025-02-11 21:08:33,810 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'files/98c7f6355ab142d2_wscrgb.icc'
2025-02-11 21:08:33,812 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 66208
2025-02-11 21:08:33,817 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'files/505336e52224990b_wsrgb.icc'
2025-02-11 21:08:33,819 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 2676
2025-02-11 21:08:33,825 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'files/816cede54a7230f6_acecache10.lst'
2025-02-11 21:08:33,826 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 1946
2025-02-11 21:08:33,832 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'files/2cbbfbe12768f624_usercache.bin'
2025-02-11 21:08:33,834 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 69063
2025-02-11 21:08:34,074 [cuckoo.core.resultserver] DEBUG: Task #5953941: File upload for 'shots/0004.jpg'
2025-02-11 21:08:34,093 [cuckoo.core.resultserver] DEBUG: Task #5953941 uploaded file length: 133699
2025-02-11 21:08:34,107 [cuckoo.core.resultserver] DEBUG: Task #5953941 had connection reset for <Context for LOG>
2025-02-11 21:08:35,871 [cuckoo.core.guest] INFO: win7x6428: analysis completed successfully
2025-02-11 21:08:35,884 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-02-11 21:08:35,914 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-02-11 21:08:36,921 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6428 to path /srv/cuckoo/cwd/storage/analyses/5953941/memory.dmp
2025-02-11 21:08:36,922 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6428
2025-02-11 21:11:34,006 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.228 for task #5953941
2025-02-11 21:11:34,505 [cuckoo.core.scheduler] DEBUG: Released database task #5953941
2025-02-11 21:11:34,537 [cuckoo.core.scheduler] INFO: Task #5953941: analysis procedure completed

Signatures

Yara rules detected for file (7 events)

description	(no description)	rule	suspicious_launch_action
description	(no description)	rule	suspicious_embed
description	Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed	rule	multiple_versions
description	JavaScript was introduced in v1.3	rule	js_wrong_version
description	Flate was introduced in v1.2	rule	FlateDecode_wrong_version
description	EmbeddedFiles were introduced in v1.3	rule	embed_wrong_version
description	(no description)	rule	PDF_Embedded_Exe

The PDF file contains an attachment (1 event)

Attached file

template.pdf

The PDF file contains JavaScript code (1 event)

Javascript code

this.exportDataObject({ cName: "template", nLaunch: 0 });

The PDF file contains an open action (1 event)

Open action

<< /Type /Action /S /JavaScript /JS this.exportDataObject({ cName: "template", nLaunch: 0 }); >>

The PDF open action contains JavaScript code (1 event)

Open action

<< /Type /Action /S /JavaScript /JS this.exportDataObject({ cName: "template", nLaunch: 0 }); >>

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Exploit.PDF-Dropper.Gen, Trojan.CryptZ.Marte.1.Gen (Engine A), Win32.Trojan.PSE.10KKVZ1 (Engine B)
Avast Core Security (Linux)	Win32:Meterpreter-C [Trj]
C4S ClamAV (Linux)	Win.Trojan.MSShellcode-7
F-Secure Antivirus (Linux)	Trojan:PDF/Embedded.E [FSE]
Sophos Anti-Virus (Linux)	Troj/PDFJs-AIA
eScan Antivirus (Linux)	Trojan.CryptZ.Marte.1.Gen(DB)
ESET Security (Windows)	PDF/TrojanDropper.Agent.D trojan
McAfee CLI scanner (Linux)	Swrort.i trojan
DrWeb Antivirus (Linux)	Trojan.Swrort.1
ClamAV (Linux)	Win.Trojan.MSShellcode-7
Bitdefender Antivirus (Linux)	Exploit.PDF-Dropper.Gen
Kaspersky Standard (Windows)	HEUR:Trojan.Win32.Generic
Emsisoft Commandline Scanner (Windows)	Exploit.PDF-Dropper.Gen (B)

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.PdfLaunch.Trojan
Lionic	Trojan.PDF.Swrort.4!c
ClamAV	Pdf.Tool.Agent-1388586
CTX	pdf.trojan.swrort
CAT-QuickHeal	Trojan.Swrort.A
Skyhigh	BehavesLike.PDF.Swrort.pb
ALYac	Trojan.CryptZ.Marte.1.Gen
Cylance	Unsafe
VIPRE	Trojan.CryptZ.Marte.1.Gen
Sangfor	HackTool.Win32.Reverse_Bin_v2_5_through_v4_x.uwccg
Arcabit	Exploit.PDF-Dropper.Gen [many]
Baidu	Multi.Threats.InArchive
Symantec	Packed.Generic.347
ESET-NOD32	PDF/TrojanDropper.Agent.D
TrendMicro-HouseCall	Backdoor.Win32.SWRORT.SMAL01
Avast	Win32:Meterpreter-C [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Exploit.PDF-Dropper.Gen
NANO-Antivirus	Trojan.Win32.Shellcode.ewfvwj
MicroWorld-eScan	Exploit.PDF-Dropper.Gen
Rising	Dropper.Agent/PDF!1.C7BB (CLASSIC)
Emsisoft	Exploit.PDF-Dropper.Gen (B)
F-Secure	Trojan:PDF/Embedded.E
DrWeb	Trojan.Swrort.1
TrendMicro	HEUR_PDFEXP.D
Sophos	Troj/PDFJs-AIA
SentinelOne	Static AI - Malicious PDF
FireEye	Exploit.PDF-Dropper.Gen
Jiangmin	Exploit.PDF.nc
Google	Detected
Avira	TR/Patched.Gen2
Microsoft	Trojan:Win32/Meterpreter.O
ViRobot	PDF.Z.Agent.46360.K
GData	Win32.Backdoor.Swrort.C
Varist	W32/Swrort.A.gen!Eldorado
McAfee	Swrort.i
Ikarus	possible-Threat.PDF.Acmd
Tencent	PDF.Win32.Script.900188
huorong	Backdoor/Meterpreter.d
MaxSecure	Trojan.Swrort.B
Fortinet	W32/Rozena.ABV!tr
AVG	Win32:Meterpreter-C [Trj]
alibabacloud	HackTool:Pdf/Agent.1388586