analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

E-Fax New Document Received - Doc-049627.pdf - 2 pages (8.57 KB).msg

Full analysis: https://app.any.run/tasks/c26a78e0-a619-4ae6-ac57-718fcbebd27e
Verdict: Malicious activity
Analysis date: November 29, 2020, 18:00:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
phish-outlook
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

BE595FC17D40300AFBD4875AED642F4B

SHA1:

FADBF79F9151F6EEB1D71C19A2E6999F857830BB

SHA256:

B9A28DC8881F4EB048BC7EB3F26FAC40615F4763317309669CD649D721490F9C

SSDEEP:

192:gfN3LDjz8shB5k4YJPqB+z9xGbY6db3nOWZJfuKmpoMZpmj9:ahLFnq47Ugk6dbeWLfu9poMZpmj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2228)
    • Outlook phishing page detected

      • iexplore.exe (PID: 868)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2228)
  • INFO

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2228)
    • Application launched itself

      • iexplore.exe (PID: 2460)
    • Changes internet zones settings

      • iexplore.exe (PID: 2460)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2228)
    • Reads internet explorer settings

      • iexplore.exe (PID: 868)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 868)
      • iexplore.exe (PID: 2460)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2460)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2228"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\E-Fax New Document Received - Doc-049627.pdf - 2 pages (8.57 KB).msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2460"C:\Program Files\Internet Explorer\iexplore.exe" https://objectstorage.eu-zurich-1.oraclecloud.com/n/zrg5reymingp/b/webapp-fax015670-u64334590--864332346780-866434815690643270/o/index.html#[email protected]C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
868"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2460 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 265
Read events
1 252
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
29
Text files
36
Unknown types
14

Dropped files

PID
Process
Filename
Type
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR773B.tmp.cvr
MD5:
SHA256:
868iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabBD3D.tmp
MD5:
SHA256:
868iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarBD3E.tmp
MD5:
SHA256:
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:C608B1818F15EEEBF6582471F590732C
SHA256:37763DD9B3A482BD006C20EDDD5580B86D299D70A944B79E2D89A7FCC4DE82B3
2228OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:5DC67F92981044B1745034FD7DAA2C85
SHA256:B0D6B57FF0A8651A9611BEA8DC73071C4612526E88D3783F493B5763CC528A30
868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:F35594720BDB12D02C777B50A40996C7
SHA256:7C7C3BB58FDF08A0BF4C74CAF57034C7F8DCF3CC4D587E3F90A38B17ECDDB9EB
868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_F0430A285AA51C1C58BBDAE291DC70DEder
MD5:9A0FFE5EB235F77438FB8F93B843F36D
SHA256:3A902AD62B7F0C65D57332E7AAD0F02BFCFB6825BC60FE537120D710E43B64BC
868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:3C60995A36CA6C29EF469C1899B82CF3
SHA256:934775ADFA43C2FAF6BC5CF430C4EDD809F74F851743CE2255716921080D0716
868iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\index[1].htmhtml
MD5:97CA18EFC10B54D5024324EC95868220
SHA256:3880C6C3D03E4591B6FF3C9EB5B22418A036C494ECD8B2501D4D97FE93BB33F3
868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6binary
MD5:4F8D9A4F41CAD6CF2E439E07B2B523B4
SHA256:2B58369F82CC437B695CA5F7971952B9F50CDD6C094B4B1F451277BF1F14CF30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
32
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAFwCsedOaoX4vw6MpclM1w%3D
US
der
471 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
868
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
868
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
868
iexplore.exe
104.16.19.94:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
868
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2228
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
868
iexplore.exe
134.70.88.3:443
objectstorage.eu-zurich-1.oraclecloud.com
Oracle Corporation
US
suspicious
868
iexplore.exe
209.197.3.24:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
868
iexplore.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2460
iexplore.exe
134.70.88.3:443
objectstorage.eu-zurich-1.oraclecloud.com
Oracle Corporation
US
suspicious
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2460
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
868
iexplore.exe
23.46.253.193:443
c.s-microsoft.com
Akamai Technologies, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
objectstorage.eu-zurich-1.oraclecloud.com
  • 134.70.88.3
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
stackpath.bootstrapcdn.com
  • 209.197.3.15
whitelisted
code.jquery.com
  • 209.197.3.24
whitelisted
cdnjs.cloudflare.com
  • 104.16.19.94
  • 104.16.18.94
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info