[Notes] New Malicious InPage document

Last few days, i’ve been tweaking several of my crappy codes. One of the codes were actually crawling and finding malicious .inp files.

One interesting file that caught my eye is the following file since the URL is still alive.

ITW Filename : hxxp://pikrpro[.]eu/candida/AAT%20national%20assembly%20final.inp
sha256 : 7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf

It didn’t take more than 5mins and we can find the embedded executable within it.

I’ve attached the file in case anyone else didn’t get to download it in time.
7ef9b59cb57193fb62039602596723189fcdb5986590ca4e55edb1d0034f2faf.zip
The password to the zip file is infected29A

Being the curious me….i’ve done my n00b dilligence checks on VT
https://www.virustotal.com/#/domain/pikrpro.eu

It seems like there is another interesting link.

So i immediately downloaded it

ITW Filename : hxxp://pikrpro[.]eu/DSR/21.06.2018.doc
sha256 : eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043

Another quick peek and we can see that this is an RTF exploit file and also containing an embedded executable.

eea8cc1d819e44fbd5715d746597afac1e47647bcedce4f748cba17306ea2043.zip
The password to the zip file is infected29A

Maybe these will be interesting to someone out there.

Have Phun
Jacob Soo

Article Link: http://www.vxsecurity.sg/2018/07/22/notes-new-malicious-inpage-document/