2019-09-30 - Info from malspam pushing Shade ransomware

1. MALSPAM PUSHING SHADE (TROLDESH) RANSOMWARE ON MONDAY 2019-09-30
2.  
3. ASSOCIATED EMAIL:
4.  
5. - https://pastebin.com/Zn9hhmLv
6.  
7. INFECTION CHAIN:
8.  
9. - Email --> Attached PDF file --> link in PDF file --> downloaded zip archive --> Extracted JS file --> retrieves Shade (Troldesh) ransomware binary
10.  
11. URLS ASSOCIATED WITH THIS INFECTION CHAIN:
12.  
13. - hxxp://gigazine[.]us/wp-content/languages/plugins/doc/
14. - hxxps://www.blizzz[.]nl/wp-content/themes/vertikal/option-tree/assets/css/tF2Iu/2c.jpg
15. - hxxp://jonnyb[.]org/alexhampton/_assets/css/doc/2c.jpg
16.  
17. FILE HASHES ASSOCIATED WITH THIS INFECTION CHAIN:
18.  
19. - SHA256 hash: 3c504429569ca24a2e664471a8944d078a11be2fcefc122003b3134420909e00  
20. - File size: 32,871 bytes
21. - File name: СДФ.pdf
22. - File description: PDF attachment from malspam pushing Shade (Troldesh) ransomware
23.  
24. - SHA256 hash: 4d262d0ce7fb86a346924b2415da0be61d7dd4f78c34e39496a5b1801e4582ca
25. - File size: 11,640 bytes
26. - File name: doc.zip
27. - File location: hxxp://gigazine[.]us/wp-content/languages/plugins/doc/
28. - File description: Zip archive downloaded from link in the above PDF file
29.  
30. - SHA256 hash: a53b461aa9872f58e30269429fe4765d52b8c14c7cda3af5812279e35a2f7f78
31. - File size: 17,751 bytes
32. - File name: Информация о заказе 26.09.2018-29.xls.js
33. - File description: Extracted JavaScript (.js) file extracted from the above zip archive.
34.  
35. - SHA256 hash: b648daf8cb29ad1cf72528d0e93a12c05f4752bd721173f035a5ee724fd97aa1
36. - File size: 178,8928 bytes
37. - File location: hxxps://www.blizzz[.]nl/wp-content/themes/vertikal/option-tree/assets/css/tF2Iu/2c.jpg
38. - File location: hxxp://jonnyb[.]org/alexhampton/_assets/css/doc/2c.jpg
39. - File location: C:\Users\[username]\AppData\Local\Temp\radAE6A6.tmp (various hex characters in file name)
40. - File description: Shade (Troldesh) ransomware binary (Windows EXE)