Dropper behaviour sig PDF fp

[kevross33]

False positive seen in PDF for this download (btw thanks for this signature; it is really handy):

/11/rdr/ENU/win/nooem/none/message.zip was requested from hosts: acroipm.adobe.com, acroipm2.adobe.com

[KillerInstinct]

I have seen these HTTP requests before but currently cannot get them to trigger. I believe I updated my analysis VM's to force disable all reader/acrobat updates.

Although I do see the potential to make a whitelist, I don't think I could do that without testing it. If you could zip up your storage/analysis/[task]/ directory and give me a download link, I'll make that happen. Otherwise I think this can be fixed by making some VM changes.

[KillerInstinct]

Sorry for the lack of copy/paste, VM is air-gapped, but here's the logs I got when changing settings. This is unfortunately for Adobe Reader DC (I guess their newest version?) So these RegKeys would obviously need to be reflective of your environment.

http://i.imgur.com/NJD44Bh.png http://i.imgur.com/qOjWmiI.png

Also I believe this disables checking for "new comments and form data": http://i.imgur.com/xT0CyOi.png

[kevross33]

Hi,

Thanks for the info I will close the issue; yes you are right it is a local configuration issue where disabling adobe updates & checks had been missed.

In closed environments I also use DNS responses to send troublesome queries to response loopback address too in order to limit any generated traffic from any VM background noise.

Thanks again.