Managed XDR

confirming-aviso-de-pago.msg — malware analysis report

File info

Filename: confirming-aviso-de-pago.msg
File type: CDFV2 Microsoft Outlook Message
File size: 210 KB
First seen: 2025-04-25 13:17
Last seen: 2025-04-25 13:17

Environment

win7/x86 en

Hashes

SHA1: 05ed73edef7a2b08d289bd71d7a8670ae0c593a2
SHA256: 0dd71512780c285c178a8912f603ec67d470e00c9c2a4632958e00f016dea217
MD5: c3aa06016394a29a7c365829305fbff9

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1047 has_wmi: Executes one or several WMI requests

T1059 suspicious_process: Spawns a suspicious process

T1059.001 suspicious_process: Spawns a suspicious process

T1059.005 obfuscated_vbs: Detected obfuscated VBS

T1059 wscript_info_discovery: Collects info about system with Wscript.Shell

T1059.005 bad_vbs: Suspicious VBScript file

T1059.005 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1112 creates_largekey: Saves very large data in the registry, can be used to save the configuration or body of the malware

T1070 stealth_window: A process created a hidden window

T1027 obfuscated_vbs: Detected obfuscated VBS

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1027 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1057 has_wmi: Executes one or several WMI requests

T1082 reads_csrss: Attempts to read csrss.exe memory

T1082 wscript_info_discovery: Collects info about system with Wscript.Shell

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1033 wscript_info_discovery: Collects info about system with Wscript.Shell

Other

suspicious_pdf_link: PDF file with suspicious hyperlink or content

creates_exe: Creates executable files in the file system

suspicious_pdf: PDF file with suspicious content

pdf_page: Contains only one page

create_rpc_bindings: Creates RPC connection

pdf_compressed_stream: Contains an object with compressed stream

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

office_links: Office file contains external links

checktokenmembership: Checks user token with CheckTokenMembership call

Managed XDR