PDF

Print

ThreatScope Analysis Report

For file WellsFargo_0715201.PDF.exe uploaded 2013-07-15 at 09:20:15 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Traffic to server hosting malicious content

Drops and runs executable file(s) in a directory of the user profile often used by malware

Drops executable file(s)

Possibly injects code into remote process(es)

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

e9b12c2c4958484a142bc5373221a8ae

File size

114.00 KB

Hash SHA-1

90d8040bfb3e799352419bbe39fa5e18ce157429

File uploaded

2013-07-15 09:20:15 AM

Hash SHA-256

270d47af995cec2a39e2fb1ef14d81f338d3754c3f7855692b2357cb269c8768

Report created

2013-07-15 09:21:57 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

http://liltommy.com/ep9C.exe

184.173.201.131

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

GET

200
296.50 KB

application/x-msdownload

http://www.wineoutleteventspac
e.com/7UNFVh.exe

208.113.243.4

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

GET

200
218.50 KB

application/x-msdownload

http://www.oh-onlinehelp.com/P
efyi.exe

oh-onlinehelp.com

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

GET

200
296.50 KB

application/x-msdownload

http://video.wmd-brokerchannel
.de/qAz575t.exe

213.148.99.220

Germany

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

GET

200
296.50 KB

application/x-msdos-program

http://www.microsoft.com/uploa
ding/id=9498657&u=6WvV8DM+spUa
Zj6J1Rjz8HujLYYtwDJtVzOEzRjCdc
u2EcfNKAiwaetWWGRPNJERpEbxdqFO
RnULVjLveuzx

Information Technology

User agent:

Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

HTTP Server:

nginx

GET

403
0 B

text/html

http://dharmaking.net/ponyb/ga
te.php

64.94.100.116

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

nginx/0.7.67

POST

200
0 B

text/html

http://www.google.com/

173.194.33.49

United States

Search Engines and Portals

User agent:

Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

HTTP Server:

GET

0
0 B

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

www.google.com

Search Engines and Portals

173.194.33.49

www.google.com

Search Engines and Portals

173.194.33.50

www.google.com

Search Engines and Portals

173.194.33.51

www.google.com

Search Engines and Portals

173.194.33.48

www.google.com

Search Engines and Portals

173.194.33.52

www.oh-onlinehelp.com

Uncategorized

oh-onlinehelp.com

www.wineoutleteventspace.com

Malicious Web Sites

208.113.243.4

dharmaking.net

Uncategorized

64.94.100.116

liltommy.com

Malicious Web Sites

184.173.201.131

video.wmd-brokerchannel.de

Uncategorized

213.148.99.220

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

184.173.201.131

AS36351 SoftLayer Technologies Inc.

United States

208.113.243.4

AS26347 New Dream Network, LLC

United States

oh-onlinehelp.com

213.148.99.220

AS57537 Net-D-Sign GmbH

Germany

64.94.100.116

AS32374 Nuclearfallout Enterprises, Inc.

United States

173.194.33.49

AS15169 Google Inc.

United States

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\CGH17FD.bat

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\27789.exe

Writes file

C:\Documents and Settings\victimo\Cookies\victimo@google[2].txt

Writes file

C:\Documents and Settings\victimo\NTUSER.DAT.LOG

Writes file

C:\Documents and Settings\victimo\Cookies\victimo@google[1].txt

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\30233.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\VUM908F.bat

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\UWOB8C7.bat

Writes file

C:\Documents and Settings\victimo\NTUSER.DAT

Writes file

C:\Documents and Settings\victimo\Application Data\Ofzaj\egirij.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\26718.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\31685.bat

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\30794.exe

Writes file

C:\Documents and Settings\victimo\Cookies\index.dat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates Process

C:\WINDOWS\system32\cmd.exe

Registry


No Windows Registry changes were made.

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result