Hancitor UPS delivery status change phish September 26, 2017

1. From: UPS Quantum View Inc <[email protected]>
2. Subject: Delivery status change
3. Downloaded Document name: notice_<6 didits>.doc
4. Document SHA256: 8217c97d7c305c4bb07ad6696121330c4283846c5aa261a5e456f557c8b0e78c
5.  
6. Phishing URLs
7. Make note that phishing is randomizing the three XXX /print.php?XXX=
8. arizonadockanddoor.com/[email protected]
9. dockrepair.com
10. ladockanddoor.com
11. lasvegasdockanddoor.com
12. losangelesdockanddoor.com
13. phoenixdockanddoor.com
14. sandiegodockanddoor.com
15. santafespringsdockanddoor.com
16. tampabayblueprints.com
17. webphoriatech.net
18. webphoriatech.org
19. webphoriatechnologies.com
20. valenciadockanddoor.com
21. losangelesconveyor.com
22.  
23. C2 domains
24. http://rinhedtterfo.com/ls5/forum.php
25. http://tatoftfortwa.ru/ls5/forum.php
26. http://robrofrestoft.ru/ls5/forum.php
27.  
28. Malware Delivery URLs
29. http://necova.gr/wp-content/plugins/broken-link-checker/3
30. http://www.mutznutz.ie/wp-content/plugins/bootstrap-shortcodes/3
31. http://morinomiya.ac.jp/wp-content/plugins/wordpress-https/3
32. http://www.bestguysoncam.com/wp-content/plugins/rss_to_draft/3
33. http://www.businessmarketinganswers.com/wp-content/plugins/enable-site-ping-wpmu/3
34. http://www.icarusplays.com/Aspire_files/afxtoz/3
35. File1 SHA256 df20da3f0ca5b2cb62faa37e1003831b08cf94cf06282f632dcda4095fa3ab32
36. File2 SHA256 8262a39ab3d7c87b14abe04a8eedd82f4f3dde4c68a10409623633274a61a21d
37. File3 SHA256 9aa514be110555806c1b5a5b5964b09249c368209c15b5c4d90057fa979fed40