pdf[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

pdf.exe
Size

132KB
MD5

1cb7210108a9c176678ce551e0929d87
SHA1

b3370661c3de743dfb83319804f1d84b81665c33
SHA256

af98b30d5d0fd4a599d251ebbe119e54bde552df857d9cbcd17d621abd13f1fe
SHA512

b1102da988c714a31fa119954f794416810eb85f8ef1a08fd2d3d4394438b81c9baaf5793533434edb1fee7163fdc5cec018d38524c63c8ba2ba1485aa17b977
SSDEEP

3072:Sk5hbcvETgQo898EGpJNZCJZ+116NqQdDc:SybcvmgQouGpJnr11GZi

Score

1^/10

Malware Config

Signatures

Files

pdf.exe
.exe windows x86

c44745def0c8db6fe9c8dc3052e7a650

Code Sign

07
Certificate

Issuer

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

03/05/2011, 07:00

Not After

03/05/2031, 07:00

Subject

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

d7:2d:93:9d:11:33:54:6c
Certificate

Issuer

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

02/02/2021, 08:15

Not After

22/03/2024, 22:12

Subject

CN=PaperCut Software International Pty. Ltd.,O=PaperCut Software International Pty. Ltd.,L=Camberwell,ST=Victoria,C=AU

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

38:15:8a:78:41:77:69:65:35:9c:55:de:46:b4:08:05:46:cb:ad:c0
Signer

Actual PE Digest

38:15:8a:78:41:77:69:65:35:9c:55:de:46:b4:08:05:46:cb:ad:c0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
CloseHandle
lstrlenA
lstrlenW
WideCharToMultiByte
CreateProcessW
Sleep
MultiByteToWideChar
SetEnvironmentVariableA
CompareStringW
GetProcessHeap
SetEndOfFile
CreateFileA
GetStringTypeW
HeapSize
WriteConsoleW
SetStdHandle
FlushFileBuffers
GetTimeZoneInformation
GetFileAttributesW
TerminateProcess
GetTempPathW
GetComputerNameW
GetCurrentProcessId
GetModuleFileNameW
GetSystemTime
GetLastError
CreateDirectoryW
GetProcAddress
LoadLibraryW
GetCurrentProcess
GetCurrentThreadId
CreateFileW
SetUnhandledExceptionFilter
FormatMessageW
GetComputerNameExW
SetLastError
DeleteFileW
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineW
HeapSetInformation
HeapFree
HeapReAlloc
HeapAlloc
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
SetFilePointer
WriteFile
GetConsoleCP
GetConsoleMode
ReadFile
InitializeCriticalSectionAndSpinCount
RtlUnwind
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
GetStdHandle
IsProcessorFeaturePresent
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoW
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW

user32

PostMessageW
GetWindow
IsWindowVisible
GetWindowLongW
GetParent
GetWindowTextW
GetWindowThreadProcessId
GetTopWindow

xpdfprint

pdfPrint4
pdfFree
pdfPrintSetQueueName
pdfPrintSetCopies
pdfPrintSetPrinter
pdfOkToPrint
pdfPrintForceGDI
pdfLoadFileW

winspool.drv

OpenPrinterW
ord204
EnumPrintersW
ClosePrinter
AddPrinterConnectionW

advapi32

RegCloseKey
RegOpenKeyExW
RegSetValueExW
GetUserNameW
RegQueryValueExW

Sections

.text
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c44745def0c8db6fe9c8dc3052e7a650

Code Sign

07Certificate

Key Usages

d7:2d:93:9d:11:33:54:6cCertificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43Certificate

Extended Key Usages

Key Usages

38:15:8a:78:41:77:69:65:35:9c:55:de:46:b4:08:05:46:cb:ad:c0Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

xpdfprint

winspool.drv

advapi32

Sections

.text Size: 89KB - Virtual size: 89KB

.rdata Size: 21KB - Virtual size: 21KB

.data Size: 5KB - Virtual size: 13KB

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 7KB - Virtual size: 7KB

07
Certificate

d7:2d:93:9d:11:33:54:6c
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

38:15:8a:78:41:77:69:65:35:9c:55:de:46:b4:08:05:46:cb:ad:c0
Signer

.text
Size: 89KB - Virtual size: 89KB

.rdata
Size: 21KB - Virtual size: 21KB

.data
Size: 5KB - Virtual size: 13KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 7KB - Virtual size: 7KB