File name:

DownloadedMessage (1).zip

Full analysis: https://app.any.run/tasks/9d01abbe-1805-4169-b4fc-b803da7b354a
Verdict: Malicious activity
Analysis date: July 06, 2025, 03:17:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
spf-fail
attachments
attc-pdf
qrcode
phishing
phish-url
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

7E94649EC74B4417724A61935B60FEC2

SHA1:

67F4520EAC4E7ED68E5167B788447CFE04727C28

SHA256:

3714DE2A866E504B5CC3F68A3C6A628F51968274CD2FD30CB938CB0046554203

SSDEEP:

384:whiWevwJsEVZHZ0zTe9h+uRgEIEeGr+H+KS32ySMjNLbGoJzp7+OeP:ysEazTah+41e+q+KSmyXbHdYZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2780)
    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 2780)
  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 2780)
    • Application launched itself

      • Acrobat.exe (PID: 4864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:07:06 03:16:50
ZipCRC: 0x8c6f5b5f
ZipCompressedSize: 22822
ZipUncompressedSize: 34499
ZipFileName: Message.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe ai.exe no specs prevhost.exe no specs acrobat.exe no specs acrobat.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2032"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIb2780.16494\Message.eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
2668C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
2780"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DownloadedMessage (1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
4864"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /b /id 5116_1520401449 /if pdfshell_prev6113eb84-0cb2-41cd-86ae-87c1343ef904 /CR C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeprevhost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Version:
23.1.20093.0
5116C:\WINDOWS\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -EmbeddingC:\Windows\System32\prevhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Preview Handler Surrogate Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
6268"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "2582044A-9B03-49D6-8DAA-8BFAABD23CAD" "D7A6D122-3699-4E3B-909E-FB247D73F1AC" "2032"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
6388"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 /b /id 5116_1520401449 /if pdfshell_prev6113eb84-0cb2-41cd-86ae-87c1343ef904 /CRC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat
Version:
23.1.20093.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2032OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:2ECD7DF8C5094CE91940C2546F20A85B
SHA256:EB0B10DF5363FE5ED700ADE4C759CCFAAF014F5EF463DA029ABDE7486596949D
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_24BB0982B761374D9B03FAB77E1F477B.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B024933E-505A-4222-AFC6-15767BEFC206xml
MD5:8A94D3B165BB9DBFB936E2576A455151
SHA256:ED87B91FFE8D85D1DBD1CF4A2BF8263B59AEF710E7BDEB8068F504601A6F99AA
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\6848VEA5\Compensation_Adjustment_Statement_2025 (002).pdf:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2032OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:47294164106786B26EF15964798E430E
SHA256:1232AC53F39AC9BACC618445797F0A7D8E116E19823F53D6DF9D6AACFF96A79D
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\6848VEA5\Compensation_Adjustment_Statement_2025.pdfpdf
MD5:16EB3EFA6F59B494D94CB97F5673E9E9
SHA256:7279D8C7ADB0AFE15724F479DEEDA1C8907B2385E7BD9D4F7628A8E6EC662700
2032OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:E9CAB83C70C79BBB006A28DD8804FCC0
SHA256:CDC2AE0E8DB98B4E3DF9AE5F4E69DBD13DDDB97CC73F5A40E98602C1C8A6D1FB
2032OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\6848VEA5\Compensation_Adjustment_Statement_2025 (002).pdfpdf
MD5:16EB3EFA6F59B494D94CB97F5673E9E9
SHA256:7279D8C7ADB0AFE15724F479DEEDA1C8907B2385E7BD9D4F7628A8E6EC662700
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1200
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2524
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2032
OUTLOOK.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2032
OUTLOOK.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2524
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3572
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1200
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1200
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2032
OUTLOOK.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.131
  • 40.126.31.67
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
roaming.officeapps.live.com
  • 52.109.76.243
whitelisted
omex.cdn.office.net
  • 2.16.168.119
  • 2.16.168.101
whitelisted

Threats

No threats detected
No debug info