malware_traffic

2019-05-30 - PASSWORD-PROTECTED WORD DOCS FROM MALSPAM

May 30th, 2019
1,662
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. EXAMPLES OF PASSWORD-PROTECTED WORD DOCS FROM MALSPAM ( PASSWORD: 123 )
  2.  
  3. - 0cb1e2e6cd58b4c16a6274d7a8d27d6a70478db8b70b39cde60d99368156c3e4 - 37,888 bytes - Mike resume.doc
  4. - 6eb2f94974553e4e22d9560ca98fb592c3e998a3b0f8b222903c366a8eeb72ba - 81,920 bytes - Lana resume.doc
  5. - 87e41928583bd034e010dd2f8f33c4b0d386f351a115427351dc94febe4204a2 - 37,888 bytes - Dennis resume.doc
  6.  
  7. ANALYSIS OF 37,888 BYTE PASSWORD-PROTECTED WORD DOC:
  8.  
  9. - https://app.any.run/tasks/123d94ca-8111-4226-9d5b-9e3de8ed4211
  10. - https://www.reverse.it/sample/6437bb4f87d60215cf070227d703ad0a089a565282c9a6ac3370b32b0215d13b
  11. - https://cape.contextis.com/analysis/78046/
  12. - NOTE: Word doc had password protection removed before submitting to these sandboxes
  13.  
  14. ANALYSIS OF 81,920 BYTE PASSWORD-PROTECTED WORD DOC:
  15.  
  16. - https://app.any.run/tasks/3501795f-8108-44db-ac69-4dc291571a25
  17. - https://www.reverse.it/sample/60d5166aebf70bda86e0dd41b777be550ad364cd310cbad41780347b463b2689
  18. - https://cape.contextis.com/analysis/78051/
  19. - NOTE: Word doc had password protection removed before submitting to these sandboxes
  20.  
  21. URLS FOR FOLLOW-UP EXE (DRIDEX INSTALLER):
  22.  
  23. - hxxp://209.141.46.175/1.exe (caused by macro from 37,888 byte password-protected Word doc)
  24. - hxxp://209.141.46.175/5.exe (caused by macro from 81,920 byte password-protected Word doc)
  25.  
  26. SHA256 FILE HASHES FOR FOLLOW-UP EXE (DRIDEX INSTALLER):
  27.  
  28. - dcef8ecf6e93d1095cbf2624980edd1aa662c7986256947e79016ea284ce961d - 266,240 bytes - 1.exe
  29. - dcef8ecf6e93d1095cbf2624980edd1aa662c7986256947e79016ea284ce961d - 266,240 bytes - 5.exe
RAW Paste Data