2017-06-14 - TRICKBOT MALSPAM - PDF ATTACHMENTS WITH EMBEDDED .XLSM FILES

ASSOCIATED FILES:

 

SOME BLOG POSTS AND TWEETS ABOUT TODAY'S #TRICKBOT MALSPAM:

 

OTHER NOTES:

 

EMAILS


Shown above:  An example of the emails.

 

8 EXAMPLES FROM THE FIRST WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .XLSM FILE

 

4 EXAMPLES FROM THE NEXT WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (ZIP) -- EXTRACTED .EXE FILE

 

MALWARE


Shown above:  An example of the PDF files attached to the malspam.

 


Shown above:  An example of the embedded Excel spreadsheets seen when opening the PDF files.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .XLSM FILES:

 

MALWARE RETRIEVED FROM INFECTED HOST:

 

TRAFFIC

URLS FROM THE EXCEL MACROS FILES TO DOWNLOAD TRICKBOT:

 

TRICKBOT POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Certificate data from traffic to 186.103.161.204 port 443.

 


Shown above:  Certificate data from traffic to 195.69.196.77 port 447.

 

IMAGES


Shown above:  Malware copies itself and does a ROT1 on the filename (minus the .exe file extension).

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.