File name: | Sua Fatura Vivo Móvel chegou - (89114).msg |
Full analysis: | https://app.any.run/tasks/31482e59-a744-487f-9a18-617b1dac7294 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 14:28:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 3A5A6BBDB2ED3AE3F124E7D14DBCA696 |
SHA1: | 2C7A471A418712A1E7E13A28A03AE182CF664D9B |
SHA256: | AA129F6D7B1A65B1A959BCC2112A9F96947EF192DD5197CD5370DCF6B6023A4C |
SSDEEP: | 768:MdKcMSd9xe2VABO0ncN2EWsK7bqO7qiXMkgRRzh/r/OoWrWsKeWsK8d2pauZSPDw:MdqrcvWx7qugDz1rG5WWWjsWBWJ |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Sua Fatura Vivo Móvel chegou - (89114).msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2776 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3976 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\53BTIOI8\email.mht | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2828 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3840 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:6403 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3840 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641 | ||||
3920 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3840 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | iexplore.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3124 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3840 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3348 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3156 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3348.0.92165107\504328219" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE88A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2776 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF710.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:5B50B2AE618B656BBD7B52A4611EEA9D | SHA256:E49EB14B050D633F7A61D523D88EC5FF0756A00A788739FF5B8AB60A68D078F4 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\7KdaGVU[1].jpg | image | |
MD5:595AA92866C91604EE00116D666E8D05 | SHA256:F1C44D2D25B6A7DF410B1C3175C27AEC6DDC4AF7CE67184E54F6973203335565 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\9nzF1so[1].jpg | image | |
MD5:52D6C32825F276805A935E17B87E8FFD | SHA256:602F9068449870E99B36A2B654D7EF994B9D827F5AF4E9611B393EF42FE8A6AC | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Mj1glp1[1].jpg | image | |
MD5:ABAD27971EEDA36666628531107557B9 | SHA256:2F7E107F2C75B3AB5267BC984375245309D0C0FA93B9AE8E747583E466CE055C | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bffvP42[1].jpg | image | |
MD5:9F0CEC0D8282F62A2CD1DF8975342FD9 | SHA256:4377F4382BEC9A5C430D6466EDDCFFB349C236854FAE3B67117D87F2F73BD78C | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cWp7xmH[1].jpg | image | |
MD5:241246E4ED5BE2A1EDCE558222B8B1CC | SHA256:B994A3D50D4B7F0C4FF296A1B382555202476CF62ECBE43F256238BC38C834D9 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_4BED883300C45A43848FF6617DE7DA96.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3920 | AcroRd32.exe | GET | 304 | 2.16.186.26:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/282_15_23_20070.zip | unknown | — | — | whitelisted |
3840 | iexplore.exe | GET | 302 | 178.79.136.242:80 | http://li192-242.members.linode.com/catalog/seo_sitemap/vivofatura79pach/ | GB | — | — | unknown |
2948 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3920 | AcroRd32.exe | GET | 304 | 2.16.186.26:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/284_15_23_20070.zip | unknown | — | — | whitelisted |
3976 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3920 | AcroRd32.exe | GET | 304 | 2.16.186.26:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/283_15_23_20070.zip | unknown | — | — | whitelisted |
3920 | AcroRd32.exe | GET | 304 | 2.16.186.26:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3976 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3976 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2948 | OUTLOOK.EXE | 151.101.36.193:443 | i.imgur.com | Fastly | US | unknown |
2948 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3840 | iexplore.exe | 172.217.18.16:443 | storage.googleapis.com | Google Inc. | US | whitelisted |
3976 | iexplore.exe | 172.217.18.16:443 | storage.googleapis.com | Google Inc. | US | whitelisted |
3840 | iexplore.exe | 52.219.96.18:443 | s3.us-east-2.amazonaws.com | — | US | shared |
3976 | iexplore.exe | 216.58.210.4:443 | www.google.com | Google Inc. | US | whitelisted |
3840 | iexplore.exe | 178.79.136.242:80 | li192-242.members.linode.com | Linode, LLC | GB | unknown |
3920 | AcroRd32.exe | 2.16.186.26:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
i.imgur.com |
| shared |
www.bing.com |
| whitelisted |
storage.googleapis.com |
| whitelisted |
li192-242.members.linode.com |
| unknown |
s3.us-east-2.amazonaws.com |
| shared |
www.google.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |