Managed XDR

viewsource.txt — malware analysis report

File info

Filename
viewsource.txt
File type
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
File size
567.3 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
b40f89074ee4a08277c36966c3787b98c60d57dd
SHA256
31201a36f7a5ab2a97fc5de2b9fbddf94573b977a6fddfe0fe3b697def546046
MD5
7b4f7ca93545a14e0133bc6280f20496

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1064 office_macros_suspicious: Document contains suspicious macro
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1064 office_macros: The document contains macroses (total: 14)
T1064 office_macros_strings: Feature lines found in document macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1064 office_macros: The document contains macroses (total: 14)
T1064 office_macros_strings: Feature lines found in document macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

Other

yara_rules: Static rules
pdf_page: Contains only one page
create_rpc_bindings: Creates RPC connection
pdf_compressed_stream: Contains an object with compressed stream
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card