Last few days, i’ve been tweaking several of my crappy codes. One of the codes were actually crawling and finding malicious .inp files.
One interesting file that caught my eye is the following file since the URL is still alive.
|
1 2 |
ITW Filename : hxxp://pikrpro[.]eu/candida/AAT%20national%20assembly%20final.inp sha256 : 7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf |
It didn’t take more than 5mins and we can find the embedded executable within it.
I’ve attached the file in case anyone else didn’t get to download it in time.
7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf.zip
The password to the zip file is infected29A
Being the curious me….i’ve done my n00b dilligence checks on VT
https://www.virustotal.com/#/domain/pikrpro.eu
It seems like there is another interesting link.
So i immediately downloaded it
|
1 2 |
ITW Filename : hxxp://pikrpro[.]eu/DSR/21.06.2018.doc sha256 : eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043 |
Another quick peek and we can see that this is an RTF exploit file and also containing an embedded executable.
eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043.zip
The password to the zip file is infected29A
Maybe these will be interesting to someone out there.
Have Phun
Jacob Soo