Managed XDR

message.eml — malware analysis report

File info

Filename: message.eml
File type: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
File size: 328.8 KB
First seen: 2025-11-03 09:33
Last seen: 2025-11-03 09:33

Environment

w10/x86 en

Hashes

SHA1: e610e55de11cfd7a72a100d4f10da659dd48226f
SHA256: 9e9d398a6d5d60e058b0ef6a40495dd2d5cf18a8d6dcb26a14c3fa907de15213
MD5: b9242153e932480d97c10c61e8e0d0f6

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1064 office_macros_suspicious: Document contains suspicious macro

T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

T1064 office_macros: The document contains macroses (total: 2)

T1064 office_macros_strings: Feature lines found in document macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro

T1027 office_macros_entropy: The document contains a macro with high entropy (a possible sign of obfuscation)

T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

T1064 office_macros: The document contains macroses (total: 2)

T1064 office_macros_strings: Feature lines found in document macro

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

multiple_useragents: Uses more than one unique User-Agent

creates_doc: Creates (office) documents in the file system

office_summary: The document contains suspicious metadata

create_rpc_bindings: Creates RPC connection

pdf_compressed_stream: Contains an object with compressed stream

creates_suspended_process: Creates suspended process

test_check_service: Starts services

office_links: Office file contains external links

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

suricata_alert: Malicious traffic detected

Managed XDR