Edit tour

Windows Analysis Report
3WzEuwT4vN.eml

Overview

General Information

Sample name:3WzEuwT4vN.eml
renamed because original name is a hash value
Original sample name:1f093ec1b8fe0773dc4d99b15d20da1681a2b845e5398f34c40c441e3c1ad1d2.eml
Analysis ID:1590823
MD5:dd2a8708874f5c99644110152d76b40a
SHA1:06b7cd6f235bf9d4a08d84f85af93358c33ca00f
SHA256:1f093ec1b8fe0773dc4d99b15d20da1681a2b845e5398f34c40c441e3c1ad1d2
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected potential phishing Email
Email provider (Gateway / MTA) detected MSG / EML as spam/phishing/malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2292 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\3WzEuwT4vN.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5756 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDDD2B0A-C284-4511-B013-F373E26E48FA" "A45A43CE-A3EC-4E48-877C-36AB5ED5B41C" "2292" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Detected potential phishing email: Sender email (gmail.com) doesn't match claimed identity (Diia government service). Repetitive, poorly formatted text with suspicious authentication links. Multiple variations of URLs including suspicious domain 'diia-id.com' instead of legitimate 'diia.gov.ua'
Source: 3WzEuwT4vN.emlEmail attachment header: X-Spam-Level: *********
Source: EmailClassification: Credential Stealer
Source: classification engineClassification label: mal48.winEML@3/4@0/55
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250114T0853200831-2292.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\3WzEuwT4vN.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDDD2B0A-C284-4511-B013-F373E26E48FA" "A45A43CE-A3EC-4E48-877C-36AB5ED5B41C" "2292" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CDDD2B0A-C284-4511-B013-F373E26E48FA" "A45A43CE-A3EC-4E48-877C-36AB5ED5B41C" "2292" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4E3A7680-B77A-11D0-9DA5-00C04FD65685}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
3WzEuwT4vN.eml0%VirustotalBrowse
3WzEuwT4vN.eml0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
52.113.194.132
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
20.189.173.14
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.109.28.46
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
2.16.168.101
unknownEuropean Union
20940AKAMAI-ASN1EUfalse
52.109.76.243
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1590823
Start date and time:2025-01-14 14:52:03 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:3WzEuwT4vN.eml
renamed because original name is a hash value
Original Sample Name:1f093ec1b8fe0773dc4d99b15d20da1681a2b845e5398f34c40c441e3c1ad1d2.eml
Detection:MAL
Classification:mal48.winEML@3/4@0/55
Cookbook Comments:
  • Found application associated with file extension: .eml
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.16.168.101, 2.16.168.119, 20.189.173.14
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, onedscolprdwus13.westus.cloudapp.azure.com, prod.configsvc1.live.com.akadns.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:modified
Size (bytes):102400
Entropy (8bit):4.4987662869802865
Encrypted:false
SSDEEP:
MD5:D855DB45527658E8C5D7A5F29EC54247
SHA1:7FAFF6E5CE0D2010D28662ED04D2B9459E8066EE
SHA-256:B5057EBF0C5ADE686E7586AF21B2916851AA32AED12C042886F7DA935906E5F1
SHA-512:4A797820FF052DCE3B47D62D45BA891E611DE03652BF5A5A55201A5273D7C18E9D7B7E3F72A0562FAEBE7222F37816B65372A2A165762B6EEE001D163BCF3C6F
Malicious:false
Reputation:unknown
Preview:............................................................................b...........vi.f..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................[..Y..........vi.f..........v.2._.O.U.T.L.O.O.K.:.8.f.4.:.e.f.a.a.8.5.f.d.4.4.2.e.4.2.f.2.9.3.6.3.0.6.2.e.4.d.2.9.3.2.5.a...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.1.4.T.0.8.5.3.2.0.0.8.3.1.-.2.2.9.2...e.t.l.............P.P.........vi.f..................................................................................................................................................................................................................................................................................................
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:GIF image data, version 89a, 15 x 15
Category:dropped
Size (bytes):663
Entropy (8bit):5.949125862393289
Encrypted:false
SSDEEP:
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:false
Reputation:unknown
Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):2.4982743564032317
Encrypted:false
SSDEEP:
MD5:F664507A302F4AE93C8E4A30D95E882A
SHA1:AEB0AEB81952E1626CE2BDA3EBDB113C6B1AAC7E
SHA-256:165D08FCFDDC5C34A15E5E919DEE6527477622960D62E0F598EDFDB389C273A7
SHA-512:9AE48C6A4F80D337D8D2CCD91E983026044AAE45207FB854BE097902E10F3DCA0F698493BF6A9DCA0BCAE659EDD1BD5FD2179EE21D1F33F083B408E25FD1824E
Malicious:true
Reputation:unknown
Preview:!BDN.,..SM......\...s...........E.......`................@...........@...@...................................@...........................................................................$.......D......................D...............A........h.............................................................................................................................................................................................................................................................................................~.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:OpenPGP Public Key
Category:dropped
Size (bytes):131072
Entropy (8bit):3.743164031122567
Encrypted:false
SSDEEP:
MD5:D8EF76AF4680152D4DDA0F47E18D9B9E
SHA1:AC1206CF3323947FDDDCAEF52852BF760011ABBD
SHA-256:0146CA08DFFF27579B06EB7889260AAEAB83B4D412CBA0D520CDE0E71BFA3249
SHA-512:4BB38923166801536D77698C7CAA490B02A1F33FFF1BC5828A86181A4CACA852BE807904EB2B26C9977F4F8E3E734393EBDA54B416E53D3F9C3E8DFABD89C467
Malicious:true
Reputation:unknown
Preview:...C...J.............{..f....................#.!BDN.,..SM......\...s...........E.......`................@...........@...@...................................@...........................................................................$.......D......................D...............A........h.............................................................................................................................................................................................................................................................................................~.....{..f.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
File type:SMTP mail, ASCII text, with very long lines (441), with CRLF line terminators
Entropy (8bit):5.774461322427669
TrID:
  • E-Mail message (Var. 1) (20512/2) 100.00%
File name:3WzEuwT4vN.eml
File size:21'804 bytes
MD5:dd2a8708874f5c99644110152d76b40a
SHA1:06b7cd6f235bf9d4a08d84f85af93358c33ca00f
SHA256:1f093ec1b8fe0773dc4d99b15d20da1681a2b845e5398f34c40c441e3c1ad1d2
SHA512:c05cf0a5518c72fa0181b620e42d1c8ab5f7c88418abf77784304945e765e592c5690e179d620db64b02954a30d6bbf8aa80146c5d0a74fe1dbe829714a56222
SSDEEP:384:YvKV9fxJvKtMQsroltIhiM4XbgrMNsZUZopwQ/qjQELXu:YvSZbv8i8nIhihXsr4siZo7/qjQELXu
TLSH:0DA2C53F428608C5722C0DB9246166BC550FEE7E8ACB3B7CF99E1B51462865CB4C8BC7
File Content Preview:Return-Path: <facturacion2871@gmail.com>..Delivered-To: spam@puzatahata.kiev.ua..DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;.. d=gmail.com; s=20230601; t=1736192583; x=1736797383; darn=puzatahata.kiev.ua;.. h=mime-version:date:cont
Subject:*** SPAM ***
From:D GOV <facturacion2871@gmail.com>
To:diia@mysalesmate.com
Cc:
BCC:
Date:Mon, 06 Jan 2025 19:43:02 +0000
Communications:
  • html , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua Every day is a new opportunity to learn something valuable.The mind is everything; what you think, you become. @media only screen and (max-width:600px) { body img { max-width: 100% !important; } } html , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua Every day is a new opportunity to learn something valuable.The mind is everything; what you think, you become. html , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua Every day is a new opportunity to learn something valuable.The mind is everything; what you think, you become. , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua , . , , . , : https://my.diia.gov.ua/sign. , . . , , . Complete the process through a secure authentication platform. , . , , . , : https://my.diia.gov.ua/sign. https://my.diia.gov.ua/sign https://diia-id.com/sign?=s8070846148 , . . , , . Complete the process through a secure authentication platform. . . , , . , , . Complete the process through a secure authentication platform. Complete the process through a secure authentication platform. 2025 Diia. . diia.gov.ua 2025 Diia. . diia.gov.ua diia.gov.ua https://diia-id.com/sign?=s8070846148 Every day is a new opportunity to learn something valuable. The mind is everything; what you think, you become.
Attachments:
    Key Value
    Return-Path<facturacion2871@gmail.com>
    Delivered-Tospam@puzatahata.kiev.ua
    DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736192583; x=1736797383; darn=puzatahata.kiev.ua; h=mime-version:date:content-transfer-encoding:message-id:subject :reply-to:to:from:from:to:cc:subject:date:message-id:reply-to; bh=vF8j6sgOL6rA5s9Jx/5Q9NtAXpgq2QXTTuDyn9Vxb7Y=; b=BqMnsJa981DyQXGjEprQNjOda0CHhZSHBmxBQTo+REuk8ONKNPFIjAiNqtfhL16bAe NzCl+Vh9z+WnhL7rU7UpsQzu7yD0IOPVM1PEnW8M6YVh2+BS/rdrpyzGX9FbRi5v64EG T+OuzqwdAPS0lXfRhjKlsltxmPg5fMU7K6sBUoXBrR9WtelGhXqnRx2vu78AOvLVbHz5 UM3HLzhaRg3CCvGJ1bLwFVHi/G9EaMOmvVwQC86gLSNWVprDStLf2POQLNZtxDSFazbj iC6vrFO48qJmCBohgJ1XnfDbi6juRpm4y0dXoKKMyyNvXK9+KQWpUj9g9/VrDW8tpxFd ogkA==
    Authentication-Resultsmx1.puzatahata.kiev.ua; dkim=pass header.d=gmail.com header.s=20230601 header.b=BqMnsJa9; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.puzatahata.kiev.ua: domain of facturacion2871@gmail.com designates 209.85.222.172 as permitted sender) smtp.mailfrom=facturacion2871@gmail.com
    ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=puzatahata.kiev.ua; s=dkim; t=1736192584; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=vF8j6sgOL6rA5s9Jx/5Q9NtAXpgq2QXTTuDyn9Vxb7Y=; b=XO+XQDMdtfVQ7D96kSFdjh0Zwa5iMqR3+VqvBUSgmDMn0BgScN6xeVmsyVtq/At34VfIfY Y5mD71o5gJeOHDtnlJmE5mBAmmEnJyxgcvmEpKPoK9aG84OisaVHqxPoF1fGA4cKgZ6TjW xkJtYOgQvEx5ZaFV9qGmlNMysQULpMatJq8t4grV1l46ke2UpEOextDoEyoTydOGTTiyvl XCAHlWFr/ekoxvXWNZMoxxUwB9xDXWJbX4hkysMzhv0tGIC3zG1CBq8AN6E0pyIaPXTInC Rq74moLvaGOjj2L+f8ofSCuDAjRc/Mg3lWCQ88k8qEEg4h0zbDWJw4x6aety4w==
    ARC-Seali=1; s=dkim; d=puzatahata.kiev.ua; t=1736192584; a=rsa-sha256; cv=none; b=c9g0IAJv+g1VyQ+Ha1GxoCfhHNu0qlErzOrdrZHLGXQD7NdmC1NQa+1GsbZIdDoxBZG6HJ 3AtJjtuC/P649m5QkI6w11/pw3HIYVjog3/oQbwBgLjggTr7sOWfQy7bUbAjBQDwb2RlwZ iSG1aqWxRUOJiy653c1r0ZmsnPm3+KUE6HBvJYk3LNBovXDiZKHTsfwtxewqar9vHP1o4j dVb9UzpDkvxSNqWTAORfXDY8FuiYdBZl/iF8R7BxebhVIRkshkvvYsFYMeXjWKQ88Liupz /OqgTthuudOiwQHZluRvH/oYzjyNmNn/j0MAdY8vxdScMw0n6RbV8+UPM8GQ3w==
    ARC-Authentication-Resultsi=1; mx1.puzatahata.kiev.ua; dkim=pass header.d=gmail.com header.s=20230601 header.b=BqMnsJa9; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.puzatahata.kiev.ua: domain of facturacion2871@gmail.com designates 209.85.222.172 as permitted sender) smtp.mailfrom=facturacion2871@gmail.com
    X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736192583; x=1736797383; h=mime-version:date:content-transfer-encoding:message-id:subject :reply-to:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vF8j6sgOL6rA5s9Jx/5Q9NtAXpgq2QXTTuDyn9Vxb7Y=; b=VSOkiP+UBQwbl9fCAMWWqRIsInERFXha0FCqwLQyKWnFzlK5AYBer3yQd8ZdcqsAdI l3ixwWoObN6SgkZe74X29iVLs0Svt4r+7Ish5orHb8lmw2HkXHMYzyZv1c2JTIsaJuaq tkrX25J1kutyGA12/hGoDMFQdGeQMz7CxzJad49XG/uLEC4/LzkrS18+I4wLCSWI20br WctZ2p4YjgICMC5Qb5Cg8+Q9/QfNA66qyz8lfW3nMDz++AVJpuENJrgjZB6tqRJFN9k6 wiNpzduL0eQ8m+Sfb2zQ+uWhULZVfkMwhToZD1l8AMjrenawOHejcVSGEL6UmrkoYxRg SZaw==
    X-Forwarded-Encryptedi=1; AJvYcCV+XUL2lSQgIEUtEZxPVQkEZ9hc3CTB9Qn7OmzUHC6iSY4g2Bps3GwBxqIn+p1JNyTbmfmf@puzatahata.kiev.ua
    X-Gm-Message-StateAOJu0Yx+LpEOJiFkkQEMcfwbl3J0XUdT+T+C2Ohk01rKhR5cFuYCMDig Ib9ESifWYgm5yWHgevekJ9Fd9NWZYJV74JT35fCprBAjAZ3JFH98
    X-Gm-GgASbGncuSC8xDHBXh+LTXOypFZ4NwYlDdpcmQrQzxy1ad5gXrRpGvv20ALpZyCRxHbrh y1hoC4+hWSUfa3AI+NXaIJz/DjkSGvcXkL9UliIiHoVhUKEw7mvd5r94s38CZvZhnCaCGuVR306 TKiF0+grff621Xeg35mGU6FKZFiEGIYXPWB79MEbo4EjVf2uPKFSNs3y0UK4kftRzsYHd2WSnlK fBPibSaCfsM/ZCgPkf5RVix3zmhbXDqQhgU+e/ft3+fvuSFLBluov6aShX6IeO+X4QcQfpe8AcK eSHHYg==
    X-Google-Smtp-SourceAGHT+IHfBcCFv8ZWC3ps0yId2kSAtC+Y6Xq/MRq+Mm2Wp01wTOBFX//yWFtT6ji1C+0MxmuAUfXQPA==
    X-Receivedby 2002:a05:620a:28c9:b0:7b8:5511:f725 with SMTP id af79cd13be357-7bb90348a3bmr86820385a.23.1736192583095; Mon, 06 Jan 2025 11:43:03 -0800 (PST)
    Content-Typetext/html; charset="utf-8"
    FromD GOV <facturacion2871@gmail.com>
    Todiia@mysalesmate.com
    Reply-ToD GOV <facturacion2871@gmail.com>
    Subject*** SPAM ***
    Message-Id <tpgg.salesmate.io-e8ba9168-b68-4752-7e7f-78708d74e719@salesmate.io>
    X-MailerSalesmate.io
    Content-Transfer-Encodingquoted-printable
    DateMon, 06 Jan 2025 19:43:02 +0000
    MIME-Version1.0
    X-Rspamd-Actionrewrite subject
    X-Rspamd-Servermx1.puzatahata.kiev.ua
    X-Spamd-Bar+++++++++
    X-Rspamd-Queue-Id75D44C0B9077
    X-Spamd-Resultdefault: False [9.64 / 10.00]; ZERO_WIDTH_SPACE_URL(7.00)[diia.gov.ua]; WHITELIST_SENDER_DOMAIN(-6.00)[gmail.com]; SEM_URIBL_FRESH15(3.00)[diia-id.com:url]; FORGED_RECIPIENTS(3.00)[m:diia@mysalesmate.com,s:info@puzatahata.kiev.ua]; BAYES_HAM(-2.91)[99.61%]; PHISHING(2.07)[diia.gov.ua->diia-id.com]; BAD_REP_POLICIES(1.10)[]; REPLYTO_EQ_FROM(1.00)[]; RWL_MAILSPIKE_POSSIBLE(1.00)[209.85.222.172:from]; NEURAL_HAM_SHORT(-0.41)[-0.830]; MANY_INVISIBLE_PARTS(0.30)[2]; XM_UA_NO_VERSION(0.30)[]; MIME_HTML_ONLY(0.20)[]; MX_GOOD(-0.01)[]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:~]; FREEMAIL_REPLYTO(0.00)[gmail.com]; FREEMAIL_FROM(0.00)[gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; DKIM_TRACE(0.00)[gmail.com:+]; HAS_REPLYTO(0.00)[facturacion2871@gmail.com]; R_DKIM_ALLOW(0.00)[gmail.com:s=20230601]; DMARC_POLICY_ALLOW(0.00)[gmail.com,none]; ARC_SIGNED(0.00)[puzatahata.kiev.ua:s=dkim:i=1]; HAS_DATA_URI(0.00)[]; TO_DN_NONE(0.00)[]
    X-Spam-Level*********

    Icon Hash:46070c0a8e0c67d6