2018-09-28 - MORE MALSPAM WITH PASSWORD-PROTECTED WORD DOCS PUSHING NYMAIM

ASSOCIATED FILES:

NOTES:

 

EMAILS

SENDING MAIL SERVER INFO FROM THIS MALSPAM:

VARIOUS SENDERS FROM EACH OF THE ABOVE DOMAINS START WITH:

 

EMAIL HEADERS

EMAIL HEADERS IN TODAY'S EXAMPLE:


Shown above:  Screenshot from today's example.

 

Received: from [46.161.42.31] ([46.161.42.31:51291] helo=1roll.org)
        by
[removed] (envelope-from <support@1roll.org>) [removed];
        Thu, 27 Sep 2018 16:14:04 -0400
From: =?utf-8?B?TWlrZSBCcm9tYW4gwqA=?= <support@1roll.org>
To:
[removed]
Subject: Application
Thread-Topic: Application
Date: Thu, 27 Sep 2018 19:42:18 +0000
Message-ID: <2gew194jz9seuvipzp6ajpvm.1962140182032@1roll.org>
Content-Language: en-US
Content-Type: multipart/mixed;
        boundary="------------703162491244836653324287"
MIME-Version: 1.0
Errors-To: >bouncechecker@yahoo.com>

 


Shown above:  To get infected, I had to enable macros after unlocking the Word document.

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:


Shown above:  Infection traffic filtered in Wireshark.

 

 

FILE HASHES

ATTACHED WORD DOCUMENT:

INITIAL NYMAIN BINARY:

FOLLOW-UP NYMAIM MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.