2017-03-10 MALSPAM, SUBJ: URGENTE - INFORME DE RENDIMENTOS DE 2016 - CORRIGIDO

ASSOCIATED FILES:

NOTES:

 

EMAILS


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 

ORIGINAL MESSAGE IN PORTUGUESE:

From: Informe De Rendimentos
Subject: URGENTE - Informe de Rendimentos de 2016 - CORRIGIDO

Prezado(a) [recipient],

Encaminhamos o Informe de Rendimento, ano base 2016 corrigido.

É importante que confirme os dados do seu Informe e nos encaminhe eventuais dúvidas.

Pedimos desculpas pelo transtorno causado.

Clique aqui para iniciar o download do documento

 

TRANSLATED BY GOOGLE:

From: Income Report
Subject: URGENT - 2016 Earnings Report - CORRECTED

Dear [recipient],

We have sent the Income Report, base year 2016 corrected.

It is important that you confirm the data in your Report and address any doubts.

We apologize for the inconvenience.

Click here to start the download of the document

 

TRAFFIC


Shown above:  Start of injected script in a page from the compromised website.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

DOWNLOADED .JS FILE:

 

DOMAIN INFORMATION

DOMAINS FROM THIS CURRENT WAVE OF MALSPAM:

NOTE:  All the above domains were registered by Cerise Charbonneau (email POC: cerisecharbonneau@protonmail.com) on 2017-03-04 through publicdomainregistry.com.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.