2017-06-01: #jaff email phishing campaign "xxxxxxxx.pdf" Email: ------------------------------------------------------------------------------------------------------------ From: "Sonia" [REDACTED] To: [REDACTED] Subject: 53612695.pdf Date: Fri, 02 Jun 2017 00:02:09 +0200 Attachment: "53612695.pdf" ------------------------------------------------------------------------------------------------------------ - sender is @ - subject is "<8 random numbers>.pdf" - body of the email is empty - attached file "<8 random numbers>.pdf" contains embedded <5-8 random uppercase chars and numbers>.doc file, which contains VBA macros downloading the malware Download sites: http://benefeet.org/7rvmnb http://dsopro.com/7rvmnb http://eselink.com.my/7rvmnb http://e-snhv.com/7rvmnb http://fabriquekorea.com/7rvmnb http://katoconsulting.ro/7rvmnb http://newserniggrofg.net/af/7rvmnb http://orhangazitur.com/7rvmnb http://paradigmenergycorp.com/7rvmnb http://poltec.com.au/7rvmnb http://praktikum-marketing.de/7rvmnb http://pw-shop.com/7rvmnb http://resevesssetornument.com/af/7rvmnb http://tasfirin-ustasi.net/7rvmnb http://theexcelconsultant.com/7rvmnb http://vigs.mx/7rvmnb Malware: - encoded on download, SHA256 98f0f68feb0495de61add43c717ccb462fbe46bc977bb295c688bd4511272b55, MD5 e364235c573d3b60a5f56a124b325da0 - filesize 251904 bytes - decode by XORing with 8gLWwOAHEuM6crpxvott0S3wqRCtPVsh - decoded SHA256 98f0f68feb0495de61add43c717ccb462fbe46bc977bb295c688bd4511272b55, MD5 04a20327fc3a5d98c41e0096452bf9e6 - samples https://www.virustotal.com/en/file/824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13/analysis/ https://www.reverse.it/sample/824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13?environmentId=100 C2: http://whoisfoxxrobiouy.net/a5/