Correspondence
Sender | Subject | Attachment Name | Attachment Hash (with VirusTotal link) |
clemke[@]e-chuppah[.]com | RE: New Borrowers | AK.pdf | 9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32 |
aschaden[@]shopbarbay[.]com | FW: Check Image Request | NI.pdf | 93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc |
wtremblay[@]aaofoo[.]com | RE: Cashing Third Party Checks | CT.pdf | 77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2 |
se[.]jursnaeb[@]adyasiddhi[.]com | RE: Hello– | TX.pdf | 3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045 |
This particular campaign came from various senders. All attachment names were similar to a two-letter US state abbreviation format.
File Analysis
TX.pdf was also uploaded to Hybrid Analysis for further inspection, here. The PDF contained a link to download the next stage, an encrypted ZIP:
The second stage downloads PowerShell which then attempts to enumerate a list of compromised domains in order to continue. The sample that I tested had all dead links and did not proceed to the PowerShell script download however it matched similar behavior to this, QBot banker delivered through business correspondence | Securelist.
Indicators
SHA256
9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32
93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc
77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2
3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045
URLs
hxxps://vcallc[.]us/ines/ines[.]php (First Stage, ZIP Dropper)