2017-06-01 Jaff "xxxxxxxx.pdf"

1. 2017-06-01: #jaff email phishing campaign "xxxxxxxx.pdf"
2.  
3. Email:
4. ------------------------------------------------------------------------------------------------------------
5. From: "Sonia" [REDACTED]
6. To: [REDACTED]
7. Subject: 53612695.pdf
8. Date: Fri, 02 Jun 2017 00:02:09 +0200
9.  
10. Attachment: "53612695.pdf"
11. ------------------------------------------------------------------------------------------------------------
12. - sender is <random>@<recipient domain>
13. - subject is "<8 random numbers>.pdf"
14. - body of the email is empty
15. - attached file "<8 random numbers>.pdf" contains embedded <5-8 random uppercase chars and numbers>.doc file, which contains VBA macros downloading the malware
16.  
17. Download sites:
18. http://benefeet.org/7rvmnb
19. http://dsopro.com/7rvmnb
20. http://eselink.com.my/7rvmnb
21. http://e-snhv.com/7rvmnb
22. http://fabriquekorea.com/7rvmnb
23. http://katoconsulting.ro/7rvmnb
24. http://newserniggrofg.net/af/7rvmnb
25. http://orhangazitur.com/7rvmnb
26. http://paradigmenergycorp.com/7rvmnb
27. http://poltec.com.au/7rvmnb
28. http://praktikum-marketing.de/7rvmnb
29. http://pw-shop.com/7rvmnb
30. http://resevesssetornument.com/af/7rvmnb
31. http://tasfirin-ustasi.net/7rvmnb
32. http://theexcelconsultant.com/7rvmnb
33. http://vigs.mx/7rvmnb
34.  
35. Malware:
36. - encoded on download, SHA256 98f0f68feb0495de61add43c717ccb462fbe46bc977bb295c688bd4511272b55, MD5 e364235c573d3b60a5f56a124b325da0
37. - filesize 251904 bytes
38. - decode by XORing with 8gLWwOAHEuM6crpxvott0S3wqRCtPVsh
39. - decoded SHA256 98f0f68feb0495de61add43c717ccb462fbe46bc977bb295c688bd4511272b55, MD5 04a20327fc3a5d98c41e0096452bf9e6
40. - samples
41. https://www.virustotal.com/en/file/824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13/analysis/
42. https://www.reverse.it/sample/824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13?environmentId=100
43.  
44. C2:
45. http://whoisfoxxrobiouy.net/a5/