Windows Analysis Report
POSTA CERTIFICATA PRESTITI FINTECH FINO A 5 MILIONI DI EURO - BLOCCA PE... (633Ko).msg

{
    "explanation": [
        "The subject line is overly promotional and written in all caps, a common spam/phishing tactic",
        "The message promotes financial services with unrealistic guarantees and loan amounts, typical of financial scams",
        "The sender uses a PEC (certified email) service but the content appears to be unsolicited commercial messaging"
    ],
    "phishing": true,
    "confidence": 9,
    "generated_by_ai": false
}

{
    "date": "Thu, 12 Dec 2024 14:31:55 +0100", 
    "subject": "POSTA CERTIFICATA: PRESTITI FINTECH FINO A 5 MILIONI DI EURO - BLOCCA PER 3 MESI LA GARANZIA STATALE MCC FINO ALL'80% - IN ALLEGATO IL CALENDARIO DELLE DELIBERE PER L'ANNO 2024 - VALUTIAMO RICHIESTE IN PRESENZA DI PICCOLI SCONFINI TECNICI IN CR - Per info chiama subito l'800985228", 
    "communications": [
        "\nMessaggio di posta certificata\n\n________________________________\n\n\nIl giorno 12/12/2024 alle ore 14:31:55 (+0100) il messaggio\n\"PRESTITI FINTECH FINO A 5 MILIONI DI EURO - BLOCCA PER 3 MESI LA GARANZIA STATALE MCC FINO ALL'80% - IN ALLEGATO IL CALENDARIO DELLE DELIBERE PER L'ANNO 2024 - VALUTIAMO RICHIESTE IN PRESENZA DI PICCOLI SCONFINI TECNICI IN CR - Per info chiama subito l'800985228\"  stato inviato da \"consulenzaeurofintech@arubapec.it\"\nindirizzato a:\ndataprotection@socotec.com\n\nIl messaggio originale  incluso in allegato.\nIdentificativo messaggio: opec210312.20241212143155.48531.169.1.51@pec.aruba.it\n\n\n"
    ], 
    "from": "\"Per conto di: consulenzaeurofintech@arubapec.it\" <posta-certificata@pec.aruba.it>", 
    "to": "dataprotection@socotec.com", 
    "attachements": [
        ""
    ]
}

{
  "risk_score": 8,
  "reasoning": [
    "Suspicious IP origin from dynamic-adsl residential network, unusual for legitimate business email",
    "Claims to be from arubapec.it (Italian certified email) but sent from Tisuser ISP network",
    "Proofpoint spam score is suspiciously low (0) despite red flags",
    "Message appears to be digitally signed but originates from unexpected network",
    "Mismatch between return-path domain (arubapec.it) and actual sending infrastructure",
    "Dynamic IP address usage suggests potential malicious activity masquerading as legitimate business service"
  ]
}

Date: Thu, 12 Dec 2024 14:31:55 +0100
Key: mime-version
Value: 1.0
Key: return-path
Value: consulenzaeurofintech@arubapec.it
Key: x-proofpoint-virus-version
Value: vendor=baseguard
Key: message-id
Value: <opec210312.20241212143155.48531.169.1.51@pec.aruba.it>
Key: content-type
Value: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----0C4107273EEF3CA7DAEE97AA7E8660C5"
Key: x-proofpoint-spam-details
Value: rule=inbound_notspam policy=inbound score=0 clxscore=502 suspectscore=0
Key: received
Value: from dynamic-adsl-84-220-244-24.clienti.tisuser.it

{
  "contains_trigger_text": true,
  "trigger_text": "PRESIDENTE CHINO A 5 MILIONI DI EURO - BLOCCA PER 3 MESI LA GARANZIA VETALE MC FIO",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": "unknown"
}

{"classification":"Lure-Based Attack"}

Email:
Detected potential phishing email: The subject line is overly promotional and written in all caps, a common spam/phishing tactic. The message promotes financial services with unrealistic guarantees and loan amounts, typical of financial scams. The sender uses a PEC (certified email) service but the content appears to be unsolicited commercial messaging