Subj : another one phishing for a bite
To   : All
From : August Abolins
Date : Tue Mar 31 2020 10:02 pm

Received another suspicious email with a "Resumé" attachment just now.

No password version.

I renamed the file:

XXXXJohn Smith Resume.xls

Send it to VirusTotal.  Only ONE engine of many detected this thing.


TACHYON == Trojan/XF.Downloader.Gen


I looked inside the file and noticed a few clues in the clear (but I obscured a
few things here with #### so no one inadvertently clicks on a link):

C:\XTHbSJX\hQPDpQm\yNuMyDc.dl

http://march262020.####/files/bot.dll

URLDownloadToFileA

http://march262020.####/files/bot.dll

rundll32.exe,DllRegisterServer

http://march262020.####/files

CreateDirectory

ShellExecute

/bot.dll

Excel 4.0 Macros


Very telling!  Seems to me, that the simplest infection mechanism can still
find
an unsuspecting victim.

The domain reference above pointed to:

Source:  whois.apnic.net (APNIC serves the Asia Pacific region)
IP Address:  170.106.11.8

But it arrived via Germany:

X-EN-OrigIP: 194.25.134.80  <== via RIPE
Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de

Sneaky buggers, eh?

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)