Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: UNKNOWN MALWARE
- ANALYST NOTES
- The emails all had varied subjects - it's likely that the Subjects have been stolen from existing emails.
- The bodies of the emails however are original and all mention reviewing information in a document.
- There's a link to a download url as well as a password that's unique for each email.
- The downloaded file is a .zip file which contains a .js file.
- The JavaScript file calls out to download another file (no extension) stored on a file sharing platform.
- This one is also a script which is fairly heavily obfuscated - mostly with just base64 encoding.
- I extracted the base64 strings and noticed 2 streams with MZ headers.
- After extracting these to disk, I discovered that they're both .dll files (32 and 64-bit).
- At this point, that's as far as I've gotten.
- SENDERS OBSERVED
- abrar@luxuryspanishvillas.net
- admin@luxuryspanishvillas.net
- leuvang@luxuryspanishvillas.net
- ncrescenzo@luxuryspanishvillas.net
- uni@luxuryspanishvillas.net
- MALDOC DISTRIBUTION URLS
- https://downl4file.direct.framedelements.com/direct?SID=c08rkH1440P47W
- https://downl4file.direct.framedelements.com/downl?I=WKtc1lBn24OIkfI
- https://downlfile.location.jetsetwithana.com/link?LNK=xS3DpDC15S3S
- https://downloadfile.location.londonpictours.com/downl?ID=10F7AxIEV4DM0
- https://secure4space.link.bossjohnson.com/downl?I=0f5L9K87TM97jc
- https://secure4space.link.bossjohnson.com/downl?SID=JkVMUOV39MTV30
- https://secure4space.link.bossjohnson.com/link?I=EgmQUf55j1R6
- MALDOC FILE HASHES
- AB_2020-23109_PDF.zip
- 0cc55b4e3b697625cccfe3bb94477dba
- AB-2020_10822_PDF.zip
- 2f3a075e19af32ffe2d761695f76014e
- NN_2020-5711_PDF.zip
- b5c95ff41c883950849e9ee9489dfc9b
- Which contain:
- AB_2020-23109_PDF.js
- 8a00f3d855475a8056630ae60b04a131
- NN_2020-5711_PDF.js
- b153bfbc0a1269b1858b023146bd1a3c
- AB-2020_10822_PDF.js
- b4c59e4dfaf6eef9c8ccd2c79fb4140b
- SECOND STAGE DOWNLOAD URLS
- http://sendfile2.link/get?ID=I1IgFr24Cxg
- http://sendfile2.link/get?ID=cRI1qau2D9vH
- http://sendfile2.link/get?ID=g1Ua41OL02p
- SECOND STAGE FILE HASHES
- I1IgFr24Cxg
- cc17e0a3a15da6a83b06b425ed79d84c
- EMBEDDED PAYLOAD FILE HASHES
- fa9e686b811a1d921623947b8fd56337
- 32-bit .dll
- 1f285e496096168fbed415e6496a172f
- 64-bit .dll
- EMAIL BODY
- Good day to you!
- We need your help. Please review the information in the archive you can get via the link below: Contract 782\7
- The password: <unique_string>
- Provide us with all the related information as soon as you can.
Add Comment
Please, Sign In to add comment