analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sua fatura NET MAURIZIO BILLI.msg

Full analysis: https://app.any.run/tasks/70b8d0c4-982a-45ae-b792-544c0826fbc8
Verdict: Malicious activity
Analysis date: July 17, 2019, 11:42:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5E35DBD9B2E58D0602E7B534D98BB351

SHA1:

DEB43049691E8A5E15EA7B46DA6F208C3411541F

SHA256:

B1B41CCD4FF7741609091D4DFEBA10C96A2BC30A5FE6EABE0809BDA023B41857

SSDEEP:

1536:Y8UfDzKhhWkWQ9gtAuNtNBqOhbuzIw3IW7m:zUfDzKctNBhbWIw3IW7m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3844)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3844)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3844)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3844)

  • INFO

    • Application launched itself

      • RdrCEF.exe (PID: 2528)
      • iexplore.exe (PID: 3236)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3844)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2852)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2852)

    • Creates files in the user directory

      • iexplore.exe (PID: 2852)
      • iexplore.exe (PID: 3236)

    • Changes internet zones settings

      • iexplore.exe (PID: 3236)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3844"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Sua fatura NET MAURIZIO BILLI.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3392"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FUZ2A201\fatura-net.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
OUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3104"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FUZ2A201\fatura-net.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2528"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
3012"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2528.0.90562465\2114048118" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2952"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2528.1.658466009\1966665134" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
3236"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/NEToficialC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2852"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3236 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 164
Read events
1 620
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
60
Unknown types
20

Dropped files

PID
Process
Filename
Type
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF722.tmp.cvr
MD5:
SHA256:
3844OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:EFCBC226C2D36B5FD389CC804ADD54C9
SHA256:8ADEAD4990F03BF07FC75CDC07E01B84B4D6645250F6BA53479F521CB8059050
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\social-5[1].gifimage
MD5:FA40C2907E23E952A209E05D7C3490B3
SHA256:B2F61234797725E72D4C00C69376626E687710EE89B24954B8787229849DF76E
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FUZ2A201\fatura-net.pdfpdf
MD5:0F331B758D7A220517A73571B6032CD1
SHA256:749CF2E0CB82B677B7FF90926877B7DD891551873B2E210AF122504ACF8076F2
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FUZ2A201\fatura-net (2).pdf\:Zone.Identifier:$DATA
MD5:
SHA256:
3104AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\social-1[1].gifimage
MD5:6150960A2AD9A974B3F0D1F6AF6325CC
SHA256:BD4CE351AB662823316F796AB9B3167B4F497C5D85D8F9182C87E0D5D8A22A82
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\topo[1].jpgimage
MD5:F5AAA0D35ABC5A9383D470244F34C372
SHA256:BE627EB57F98580F33FAF1BB07D284268CDA4EE87B06A0830BF294A6C6F11B76
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\social-3[1].gifimage
MD5:040E6E0210F53F2E29D99CB196E8CE23
SHA256:4BF64473555FAF6B9C48002FD0C41204CD9445DDA4FA86C907D58DCA74F753A7
3844OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9724E34A-58C7-4389-A122-B8BF42A3DB4A}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
35
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/banner.jpg
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/siga.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-2.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-1.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-3.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-4.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/logo.jpg
US
whitelisted
3392
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
3844
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-5.gif
US
whitelisted
3844
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3392
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
2852
iexplore.exe
31.13.92.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
3844
OUTLOOK.EXE
152.195.52.2:80
www.netcombo.com.br
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
3392
AcroRd32.exe
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3844
OUTLOOK.EXE
152.195.52.2:443
www.netcombo.com.br
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
31.13.92.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
2852
iexplore.exe
157.240.20.19:443
static.xx.fbcdn.net
Facebook, Inc.
US
whitelisted
3236
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3236
iexplore.exe
31.13.92.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.netcombo.com.br
  • 152.195.52.2
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
www.facebook.com
  • 31.13.92.36
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
m.facebook.com
  • 31.13.92.36
whitelisted
static.xx.fbcdn.net
  • 157.240.20.19
whitelisted
scontent-amt2-1.xx.fbcdn.net
  • 31.13.64.21
whitelisted
facebook.com
  • 31.13.92.36
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sua fatura NET MAURIZIO BILLI.msg