Setup_bioPDFSetup_10_12_0_2363_PRO_EXP.msi
This report is generated from a file or URL submitted to this webservice on June 1st 2015 20:17:20 (UTC)
Report generated by
Falcon Sandbox v1.80 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 6
-
Environment Awareness
-
Queries volume information
- details
-
"WINWORD.EXE" queries volume information of "Z:\" at 00153984-00002512-7732FF7C-168015
"WINWORD.EXE" queries volume information of "Z:\share" at 00153984-00002512-7732FF7C-168016 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "WINWORD.EXE" queries volume information of "Z:\" at 00153984-00002512-7732FF7C-168015
- source
- API Call
- relevance
- 8/10
-
Queries volume information
-
General
-
Reads configuration files
- details
-
"WINWORD.EXE" read file "C:\Users\desktop.ini"
"WINWORD.EXE" read file "%USERPROFILE%\Desktop\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Videos\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Network Related
-
Found potential URL in binary/memory
- details
- "www.exemsi.combioPDFPDF"
- source
- String
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- String
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "16DB7A71" to virtual address "0x2F5B1634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E95BCE57F7" to virtual address "0x764A87C9" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hooks
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 6
-
General
-
Contains PDB pathways
- details
- "=L9o<{Oyzh,,,,,-c-..q---,FOCUSAPP-- CUSTOM ACTION -- ReadRegStr: Key=, ValueName=, 32 bit, 64 bit, defaultReadRegStr: Value=ReadRegStr: Unable to query string value.ReadRegStr: Unable to open key.SetDWordValue: Unable to set DWORD in registry.SetDWordValue: Key name=SetDWordValue: Value name=SetDWordValue: bitness is 64SetDWordValue: bitness is 32SetDWordValue: Unable to open registry key. Error: %dDeleteRegValue: Unable to delete value in registry.DeleteRegValue: Key name=DeleteRegValue: Value name=DeleteRegValue: bitness is 64DeleteRegValue: bitness is 32DeleteRegValue: Unable to open registry key.SetProperty: Name=SetProperty: Value=GetProperty: Name=GetProperty: Value=SubstProperties: Input=SourceDirOriginalDatabase[SourceDir][OriginalDatabase]SubstProperties: Output=GetParameters: Start.BZ.FIXED_INSTALL_ARGUMENTSBZ.VERUILevelWRAPPED_ARGUMENTSP2BZ.UINONE_INSTALL_ARGUMENTS3BZ.UIBASIC_INSTALL_ARGUMENTS4BZ.UIREDUCED_INSTALL_ARGUMENTS5BZ.UIFULL_INSTALL_ARGUMENTS GetParameters: Show WRAPPED_ARGUMENTS warning.MSI WrapperThe WRAPPED_ARGUMENTS command line switch is only supported by MSI packages compiled by the Professional version of MSI Wrapper. More information is available at www.exemsi.com.GetParameters: Done.ModifyRegistry: Start.ModifyRegistry: Application id list is empty.|ModifyRegistry for application id SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallStringModifyRegistry: Error getting UninstallString value from registry.SystemComponentModify done for application id ModifyRegistry: Done.Get databaseOpen viewSELECT `Data` FROM `Binary` WHERE `Name` = '%s'Query: Error in call to MsiDatabaseOpenViewBad query syntaxInvalid handleUnknown errorExecute viewError in call to MsiViewExecuteGet recordError in call to MsiViewFetchCreate file: Read streamError reading streamERROR_INVALID_DATATYPEERROR_INVALID_HANDLEERROR_INVALID_PARAMETERExport finishedSave wrapped installerbz.WrappedSetupProgramUnable to create proxy window.ElevatedNot elevatedUser name is The user is a member of the Administrators group.The user is not a member of the Administrators group.CustomActionDataIni file is Unable to get ini file name from CustomActionDataCleanupRemove setup fileError removing temp executable.Remove ini fileSession dir: Unable to create GUID.MW-\msiwrapper.iniBZ.WRAPPED_APPIDWrappedApplicationIdBZ.INSTALL_SUCCESS_CODESInstallSuccessCodesBZ.ELEVATE_EXECUTABLEElevateExecutableBZ.BASENAMEUnable to get base name of wrapped setup.Unable to export wrapped setup.SetupFileNameSetupParametersWorkingDiryesnoFocusBZ.INIFILEInstallPrepareSetup file name is Unable to get wrapped setup file name from ini file: Valid exit codes are Unable to get valid exit codes from ini file: Setup parameters are Working dir is Focus is ElevationModeElevation mode is Run wrapped setupOS supports elevationalwaysadministratorsElevate executable installerrunasDo not elevate executable installerOS does not support elevationWait for finishSuccess running wrapped setup. Exit code %dError running wrapped setupShellExecuteEx failed (%d).File: %sParameters: %sCheck exit codeExit code %d is not valid. Valid exit codes: %s. The MSI will fail because of this.InstallFinish1InstallFinish2Wrapped application id is Unable to get wrapped application id from ini file: Modify registryError modifying registry.Detect installation context (per user or per machine)Registry key name=DisplayNameInstallMainInstallPrepareInternal returned successfullySettings were written to InstallFinish1Internal returned successfullyWrapped setup was installed Per UserALLUSERSWrapped setup was installed Per Machine1InstallRollbackUninstallPrepareUPGRADINGPRODUCTCODEBZ.FIXED_UNINSTALL_ARGUMENTSBZ.UINONE_UNINSTALL_ARGUMENTSBZ.UIBASIC_UNINSTALL_ARGUMENTSBZ.UIREDUCED_UNINSTALL_ARGUMENTSBZ.UIFULL_UNINSTALL_ARGUMENTSUninstallFinish1Remove the system component entry.Done.UninstallString is QuietUninstallStringQuietUninstallString is No uninstall string was found.Uninstaller="exe1=params1=Launch the uninstaller.exe2=params2=OS supports UACElevate executable uninstallerOS does not support UACUninstall finished: UninstallFinish24x2:bad exceptionH!RSDSzM+|1C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb@0@@L\0L0@@$S/]0?)@i@@AIAxAAB(B`BBBCiCCCDDEIExEEFGHHHp@r2A1"1"
- source
- String
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\WinSpl64To32Mutex_18ec3_0_3000"
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%PROGRAMFILES%\(x86)\Common Files\Microsoft Shared\office12\riched20.dll" at 6C570000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
- "DecodePointer@KERNELBASE.dll"
- source
- API Call
- relevance
- 1/10
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{3E0EAC5F-EBC7-48E3-87CF-26DF4C244EFC}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat" has type "data"
"~$727cbf4b640acdd97eefe6647d4cabd5f4558b1756da593bf51c01ce8e5670.doc" has type "data"
"~WRS{DCB3D219-D6B9-49B3-A606-0D139452B6C4}.tmp" has type "data"
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"" - source
- Dropped File
- relevance
- 3/10
-
Dropped files
File Details
Setup_bioPDFSetup_10_12_0_2363_PRO_EXP.msi
- Filename
- Setup_bioPDFSetup_10_12_0_2363_PRO_EXP.msi
- Size
- 6.9MiB (7254016 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: PDF Writer - bioPDF 10.12.0.2363, Subject: PDF Writer - bioPDF, Author: bioPDF, Keywords: Installer, Comments: Installer wrapped by MSI Wrapper (6.0.91.0) from www.exemsi.com, Template: Intel;1033, Revision Number: {F99589B3-BCBC-4AF9-BCD7-9181E140C688}, Create Time/Date: Wed Dec 17 10:17:14 2014, Last Saved Time/Date: Wed Dec 17 10:17:14 2014, Number of Pages: 200, Number of Words: 2, Name of Creating Appl
- Architecture
- WINDOWS
- SHA256
- e0727cbf4b640acdd97eefe6647d4cabd5f4558b1756da593bf51c01ce8e5670
- MD5
- 363aa17203c0e3f0ac404fbf094d679f
- SHA1
- 77cb419bec843533723f6604540466b7a1897db6
Resources
- Icon
Visualization
-
Classification (TrID)
- 98.6% (.MSI) Microsoft Windows Installer
- 1.3% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n /dde (PID: 2512)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 7
-
-
opa12.dat
- Size
- 8.3KiB (8490 bytes)
- Type
- data
- MD5
- 0cfd66704c4b3280631e93922d549340
- SHA1
- a3eebca25751afe4dd89a866ad711407770e0c3e
- SHA256
- a93701e6ba79b0c221211004bb9fc6a654830fc3bdcd7a912df5e412f6209699
-
~WRD0000.doc
- Size
- 14MiB (14508032 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- c7a068ab08a6662594bf82ca08f20d97
- SHA1
- 33d8f42eafaaae59e679678875b096a4090025f5
- SHA256
- 518f395153e2cb3de633c3be4ce516ab36c60fab838a309f60e08dceb0f44175
-
~WRD0001.doc
- Size
- 14MiB (14488576 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- c757f200f25b6d0afd00132d84e2e3bd
- SHA1
- b603144e20d772268c3becd455b800f32bfb4fac
- SHA256
- e39937f584d4e5a874c032b192b5d2f8096571271eeae88fbfff43630742032f
-
~WRS{3E0EAC5F-EBC7-48E3-87CF-26DF4C244EFC}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{DCB3D219-D6B9-49B3-A606-0D139452B6C4}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- f103a69c0b75aa386a6188b775c9c749
- SHA1
- 5a50905573e4dd14ceda13b0e06d59f05b46df5a
- SHA256
- 72c750ed9295bea7d63fd93303e3fa578889171915b02d9df150ba2688d4e7be
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 238084dcdee5fbd51d2a0f0a9d39a645
- SHA1
- 6035767f4d3e3ebb6ce87b0b998437235aeb62c7
- SHA256
- 8ae29d6bd3dcb4c03239491d36c15de0035a2aca53cdfd26ef8e62a9c6f81f57
-
~$727cbf4b640acdd97eefe6647d4cabd5f4558b1756da593bf51c01ce8e5670.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 8b4c8723912481d85e7f45b92974ee4e
- SHA1
- 73b9f5787048b9eab4592a8d6325207a0d77b0e4
- SHA256
- 9f7e651f1febff95e8735eaff86fa49c56bafa37f3fe79403cdd1d674a033e6c
-