Subj : another one phishing for a bite
To : All
From : August Abolins
Date : Tue Mar 31 2020 10:02 pm
Received another suspicious email with a "Resumé" attachment just now.
No password version.
I renamed the file:
XXXXJohn Smith Resume.xls
Send it to VirusTotal. Only ONE engine of many detected this thing.
TACHYON == Trojan/XF.Downloader.Gen
I looked inside the file and noticed a few clues in the clear (but I obscured a
few things here with #### so no one inadvertently clicks on a link):
C:\XTHbSJX\hQPDpQm\yNuMyDc.dl
http://march262020.####/files/bot.dll
URLDownloadToFileA
http://march262020.####/files/bot.dll
rundll32.exe,DllRegisterServer
http://march262020.####/files
CreateDirectory
ShellExecute
/bot.dll
Excel 4.0 Macros
Very telling! Seems to me, that the simplest infection mechanism can still
find
an unsuspecting victim.
The domain reference above pointed to:
Source: whois.apnic.net (APNIC serves the Asia Pacific region)
IP Address: 170.106.11.8
But it arrived via Germany:
X-EN-OrigIP: 194.25.134.80 <== via RIPE
Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de
Sneaky buggers, eh?
--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)