Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-19 #TrickBot email phishing campaign "NNNNNNNN - True Telecom Invoice for June 2017"
- Stats: 1062 emails -> 13 unique PDFs -> 13 unique .docm -> 11 unique macros -> 33 download sites -> 2 malware samples
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: billing@true-telecom.com
- To: [REDACTED]
- Subject: 19214857 - True Telecom Invoice for June 2017
- Date: Wed, 19 Jul 2017 14:34:54 +0530
- Dear CUSTOMER
- We have attached your latest True Telecom bill for June 2017.
- To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You may already have this installed,
- if not please visit the Adobe website and download their free viewer.
- Payments made by direct debit will be collected 14 days from the date of the Bill.
- If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.
- Telephone: 0800 840 40 60
- Fax: 0844 779 2253
- Email: customerservice@true-telecom.com
- Please be advised that this is an unmonitored email address.
- With Kind Regards,
- The True Telecom Team
- www.True-Telecom.com
- True Telecom Ltd is registered in England and Wales No. 08225783.
- Head Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE
- This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail "the Company" is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)
- Attachment: 2017-06-Bill.PDF
- ---------------------------------------------------------------------------------------------------------------
- - sender is billing@true-telecom.com
- - subject is "<8 digits> - True Telecom Invoice for June 2017"
- - attached file "2017-06-Bill.PDF" contains embedded MS Word file "DOC<8 digits>.docm" which contains macro that will download from:
- Attachments:
- 42cbb51be75a0ce60dbdcd8e387a476eedc795c0af8430eca89fd42f0ec39e1f 0004.pdf
- 738fc2a336bc07cae027648411c1e56192d33d88ae15a5fb2d075b39d067459b 0005.pdf
- 554442f604e2f96db836cbec6da6e772aa98d99d090a7a23956ef7a5bfaaddaa 0008.pdf
- e6630b69628c8c8f56d112865593cec8b45f76bc098b76ef44e9fa8c3af66e66 0009.pdf
- c9d84853c51373ae3ca06fba80575be6ed85e6894c89b1552bf661f8cfdcd697 0010.pdf
- 92e923a78c47188139a8b34d67e4e8ca43000e48f7135b23a7fb73e9494b1fdd 0012.pdf
- c9826cb668cf449d13b8074ebf86f1b7b35fe03aa56f34a4c6a666bc2fbe3d46 0017.pdf
- adc0628a2837cd47b525dfd2253aa229ecd00a3f41aff13af2c7a64b481d54a2 0066.pdf
- 40729b4fc84e69627cd87589bba3b241b4125228b86fc9bd208ce852d8babdcd 0176.pdf
- be26d88dc62cca807b588747c56eb2b822009be48d9714eb48be2cfe1456ec0b 0199.pdf
- 1f2b3082e70ed8d9657a2ff23b77a60eae29d108377258c9ab6aa7d00acdec06 0509.pdf
- 847c37bcdc543fa84a14a51891d4f9c16b24929cb3755e1ffaf8303508b4a211 0515.pdf
- 42e6ad9ae22386ccf89edf4db4603868e0a69b73541f31194ef2244f4807049a 0776.pdf
- Download sites:
- http://aarontax.com/83b7bf3
- http://aromozames.ru/83b7bf3
- http://atlon-mebel.ru/83b7bf3
- http://atsxpress.com/83b7bf3
- http://ayurvoyage.com/83b7bf3
- http://cabbonentertainments.com/83b7bf3
- http://cupcakery.in/83b7bf3
- http://dabar.name/83b7bf3
- http://descuentosperu.com/83b7bf3
- http://editorialmasterlibros.com/83b7bf3
- http://enzyma.es/83b7bf3
- http://e-snhv.com/83b7bf3
- http://faltico.com/83b7bf3
- http://fibrotek.com/83b7bf3
- http://fondazioneprogenies.com/83b7bf3
- http://gbaudiovisual.co.uk/83b7bf3
- http://in-city.info/83b7bf3
- http://infochord.com/83b7bf3
- http://inormann.it/83b7bf3
- http://kms2017.com/83b7bf3
- http://luxurious-ss.com/83b7bf3
- http://motelesapp.com/83b7bf3
- http://nasusystems.com/83b7bf3
- http://nikanels.pl/83b7bf3
- http://orinta.de/83b7bf3
- http://pankaj.pro/83b7bf3
- http://pearlgonzalez.com/83b7bf3
- http://peterich.de/83b7bf3
- http://pta-babel.net/83b7bf3
- http://pw-shop.com/83b7bf3
- http://schoolalarm.in/83b7bf3
- http://spaceonline.in/83b7bf3
- http://studio80.biz/83b7bf3
- http://sunnydaypublishing.com/83b7bf3
- http://swangroup.net/83b7bf3
- http://sxmht.com/83b7bf3
- http://taobba.com/83b7bf3
- http://tax-accounting.net/83b7bf3
- http://tayangfood.com/83b7bf3
- http://teoxan.ru/83b7bf3
- http://test.atlon-mebel.ru/83b7bf3
- http://thegardiners.ca/83b7bf3
- http://thetwilightzonenetwork.com/83b7bf3
- http://tidytrend.com/83b7bf3
- http://urban-dna.pt/83b7bf3
- http://wankelstefan.de/83b7bf3
- http://westsussexcentre.org.uk/83b7bf3
- http://wizbam.com/83b7bf3
- http://ymcaonline.net/83b7bf3
- Malware:
- - [1] encoded on download SHA256 c829ec30efa6a0448ab27c8d7a0b139c102b14805cd458084353e3e5f0343fd2, MD5 7b4e5bd60644f28b042ff6faa10519c2
- - [2] encoded on download SHA256 a11fd973ea8bfd69772c26fde686f6529e671058799301f2aea3915b1a928f51, MD5 89eae47c0fe12a7409dc42304dbb737f
- - decode by XORing download with "cizf8cXPd8VvFu1oEdTbJEViOJp6Dmmh"
- - [1] decoded SHA256 9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441, MD5 eb35f0484e9cd890a39e675fbb352d7c
- - [2] decoded SHA256 bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60, MD5 f9650f8f6d8953dbfef206a4783cdd56
- - [1] VT: https://www.virustotal.com/file/9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441/analysis/
- - [2] VT: https://www.virustotal.com/file/bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60/analysis/
- - [1] HA: https://www.reverse.it/sample/9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441?environmentId=100
- - [2] HA: https://www.reverse.it/sample/bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement