Last few days, i’ve been tweaking several of my crappy codes. One of the codes were actually crawling and finding malicious .inp files.
One interesting file that caught my eye is the following file since the URL is still alive.
ITW Filename : hxxp://pikrpro[.]eu/candida/AAT%20national%20assembly%20final.inp sha256 : 7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf
It didn’t take more than 5mins and we can find the embedded executable within it.
I’ve attached the file in case anyone else didn’t get to download it in time.
7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf.zip
The password to the zip file is infected29A
Being the curious me….i’ve done my n00b dilligence checks on VT
https://www.virustotal.com/#/domain/pikrpro.eu
It seems like there is another interesting link.
So i immediately downloaded it
ITW Filename : hxxp://pikrpro[.]eu/DSR/21.06.2018.doc sha256 : eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043
Another quick peek and we can see that this is an RTF exploit file and also containing an embedded executable.
eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043.zip
The password to the zip file is infected29A
Maybe these will be interesting to someone out there.
Have Phun
Jacob Soo
Article Link: http://www.vxsecurity.sg/2018/07/22/notes-new-malicious-inpage-document/