Reader Vinnie submitted a malicious document, including his analysis of this document. Great job! Here is his analysis (we're publishing some parts as pictures, to avoid triggering anti-virus when you view this diary entry):
Host performing SQL injection scanning also hosting Emotet Maldoc. Junos Attack log <35.190.186[.]53/56354->X.X.X.X/80> HTTP-SQL-INJ Host 35.190.186[.]53 GEO DATA (53.186.190[.]35.bc.googleusercontent.com, Google Provider, Virginia US) VirusTotal: hxxp://35.190.186[.]53/De/SKTAPCYQTR6199495/Scan/Rechnungsanschrift https://www.virustotal.com/#/file/15ea29d0e483c01df72c126e1a0b599f94bdc29dfb38a77306633c45d1851325/detection File name: 190220-Pay_receipt-747585655.doc Similar files hosted on sites: String 'shell' & Base64 encoded command in VBA compressed macro found in stream 8. Shown with yara rule below. python ~/Documents/oledump.py -y#s#'shell' ~/Downloads/190220-Pay_receipt-747585655.doc.vir 1: 114 '\x01CompObj' Variables defined in Function from stream 8: - -URL's- Interesting Strings: Post Infection Traffic from EXE found at hxxp://51.15.113[.]220/2sT3beRO4:
Didier Stevens |
DidierStevens 640 Posts ISC Handler Feb 27th 2019 |
Thread locked Subscribe |
Feb 27th 2019 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!