Correspondence

SenderSubjectAttachment NameAttachment Hash (with VirusTotal link)
clemke[@]e-chuppah[.]comRE: New BorrowersAK.pdf9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32
aschaden[@]shopbarbay[.]comFW: Check Image RequestNI.pdf93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc
wtremblay[@]aaofoo[.]comRE: Cashing Third Party ChecksCT.pdf77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2
se[.]jursnaeb[@]adyasiddhi[.]comRE: Hello–TX.pdf3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045

This particular campaign came from various senders. All attachment names were similar to a two-letter US state abbreviation format.

File Analysis

TX.pdf was also uploaded to Hybrid Analysis for further inspection, here. The PDF contained a link to download the next stage, an encrypted ZIP:

The second stage downloads PowerShell which then attempts to enumerate a list of compromised domains in order to continue. The sample that I tested had all dead links and did not proceed to the PowerShell script download however it matched similar behavior to this, QBot banker delivered through business correspondence | Securelist.

Indicators

SHA256

9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32

93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc

77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2

3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045

URLs
hxxps://vcallc[.]us/ines/ines[.]php (First Stage, ZIP Dropper)