How to figure out what this email attack does?


I received an email pretending to be from DHL about some package. Given that it was in my native language, and that it genuinely appears to come from DHL, the email seems legit. What gives that the email is 100% not legit is that it has a rar archive attached and an executable inside that I am instructed to double click to track what’s happening with the supposed package.

What surprised me is that neither BitDefender, nor Windows Defender marked it as a threat, even if I manually scanned the file.

This makes me think that this isn’t your regular let’s install a spamming software on this machine kind of a threat. This also makes me think that I may be intentionally targeted by some malware that it’s not out in the wild, but especially designed for me, which makes me even more curious to find out what it’s doing.

So what I did was to start a VM, and run it inside with ProcessMonitor recording everything it does. And it’s super boring. It doesn’t even try to connect to anything, and it doesn’t edit any files. It just checks some registries and some other system files. This means the file is 100% safe to run… in a VM.

I also submitted it to joesandbox, which confirmed me that the file is likely malicious and tries to evade virtualization.

This put me a bit at rest, because whoever would try to attack me, would likely not have this level of sophistication.

Is there any other way, but run the file on a throwaway computer, which I don’t have, to figure out what this is doing?

Here is a link to a zip containing the PML log file, but also the executable that you should definitely NOT run on any machine you care about. https://drive.google.com/file/d/1BLNQtxqgaMkXvuIw3ktWZ_lgPhlr4mtt/view?usp=sharing