#xml_211218

1. #IOC #OptiData #VR #hz #xml_rels
2.  
3. https://pastebin.com/NqSr9aMd
4. FAQ:
5.  
6. attack_vector
7. --------------
8. email attach .docx > .xml.rels > GET a.uchi{.} moe/zmxyor.doc > 404
9.  
10. email_headers
11. --------------
12. Received: from xdtoilet.gq ([103.89.88.69])
13. by srv8.victim1.com for <user0@org7.victim1.com>;
14. Fri, 21 Dec 2018 07:28:03 +0200 (EET)
15. (envelope-from asherc@xdtoilet.gq)
16. Reply-To: info4@xdtoilet.com
17. From: Asher Clif <asherc@xdtoilet.gq>
18. To: user0@org7.victim1.com
19. Subject: Enquiry
20. Date: 21 Dec 2018 13:19:03 -0800
21. Disposition-Notification-To: darrenmaurice00@gmail.com
22.  
23. files
24. --------------
25. SHA-256 c80651ca9cd9d3a73371453684a6ee4bd46df23832c808668f7dd38fb87fa444
26. File name SAMPLE23142.docx
27. File size 11.76 KB
28.  
29. activity
30. **************
31.  
32. SAMPLE23142/word/_rels/document.xml.rels
33.  
34. https://a.uchi{.} moe/zmxyor.doc
35.  
36. netwrk
37. --------------
38. n/a
39.  
40. comp
41. --------------
42. WINWORD.EXE 1728 104.27.173.56 443 ESTABLISHED
43.  
44. proc
45. --------------
46. n/a
47.  
48. persist
49. --------------
50. n/a
51.  
52. drop
53. --------------
54. n/a
55.  
56. # # #
57. https://www.virustotal.com/#/file/c80651ca9cd9d3a73371453684a6ee4bd46df23832c808668f7dd38fb87fa444/details
58. https://www.virustotal.com/#/url/52683581774bbd6da0e628ddf065524300bcd527c94efb0a33709c3aaf8fcc35/details
59.  
60. VR