Browser analysis
The last_report.pdf.exe file may have been copied to the machine from another storage or over the network, but because it was located in the Downloads folder, it may be more reasonable to start investigating the browser history.
The installed browsers in the system were Internet Explorer and Mozilla Firefox. By investigating both with DART tools, we can find some interesting results from MozillaHistoryView:
We can see that the file was downloaded from http://www.maldomain.com/public/latest_report.pdf.exe. However, we can see that the visit time was just after the user visited mail.yahoo.com, which increases the chance that the malicious link was sent to the victim in an e-mail.
If we have the ability to open the victim's mailbox to prove or refute this assumption, in our case, we will find the following message:
We can find this e-mail where the language isn't accurate and the link was added in order to display other text this link rather than the actual...
