suspicious file attached to phishing mail..

[porkpiehat]

h**p://www41.zippyshare.com/v/AgLkYey4/file.html

Hi, curiosity got the better of me.....I received a phishing email, and attached was a zip containing a txt named 'new_addresses.txt'... I right clicked the zip and opened in Comodo Sandbox.. Peazip opened up, and I clicked on the file without extracting it.... on looking at the logs I see that cmd.exe was run in virtual mode... now, what I would like to know is, would any of you like to examine the file and tell me what actually happened, if at all possible...cheers.

 

[frogboy]

This is what is inside the ZIp

newname1@newdomain1.dom
newname2@newdomain2.dom
newname3@newdomain3.dom
newname4@newdomain4.dom

The links lead to nothing as far as i can see.

 

[porkpiehat]

aah, is it possible it is looking for addresses, since cmd.exe was launched in the background?

 

[Deleted member 21043]

Hello,

It really is just a text file, there is nothing suspicious as far as I can see as well...

The bytes in the file:

6E 65 77 6E 61 6D 65 31 40 6E 65 77 64 6F 6D 61 69 6E 31 2E 64 6F 6D 0D 0A 6E 65 77 6E 61 6D 65 32 40 6E 65 77 64 6F 6D 61 69 6E 32 2E 64 6F 6D 0D 0A 6E 65 77 6E 61 6D 65 33 40 6E 65 77 64 6F 6D 61 69 6E 33 2E 64 6F 6D 0D 0A 6E 65 77 6E 61 6D 65 34 40 6E 65 77 64 6F 6D 61 69 6E 34 2E 64 6F 6D 0D 0A

Represent:

newname1@newdomain1.dom..newname2@newdomain2.dom..newname3@newdomain3.dom..newname4@newdomain4.dom..

The text file might be somewhat used by a sample for whatever reason, but the text file is not malicious. There is no "executable" code included in it, you can see based on the bytes also. Nothing is executed in the background apart from the text editor to load the contents of the textfile upon execution (in my case, notepad.exe loads it).

Cheers.

 

[porkpiehat]

well that's a relief.. cheers guys!!

 

[Kate_L]

Only some strings, nothing to worry about. Who send the mail, messed something up, ha! ha! ha! ha! ha!

 

[LabZero]

Yup, It's only .txt file