Apple Malspam Campaign Delivering Malicious Document - 2017-07-12

Timestamps:(between)
2018-07-12T18:08:09
2018-07-12T14:34:05

’From’ address:
“Apple Inc” <apple@idealofficeinc[.]com>
“Apple” <apple@idealofficeinc[.]com>

Subject lines
Apple Alert About Your Recent Order
Apple Notification Regarding Your Recent Order
Apple Notification Regarding Your Recent Purchase
Apple Alert Regarding Your Recent Order
Apple Notice About Your Recent Order

Body:
Recent Order Your Apple ID was used to purchase from Apple Store on a laptop or computer that hadn’t previously been associated with your ID. You may also be receiving this email if you reset your security password since your previous purchase. If you made this purchase, you can disregard this e-mail. It was only sent notify to you if you didn’t make the purchase. See Bill In case you didn’t make this purchase, we highly recommend that you go to to modify your password, then see Apple ID: Security and your Apple ID for additional assistance Best regards, Apple Apple ID Summary Terms of Sale Privacy Copyright 2018 Apple Inc.,

Sender IP and GEO:
162.222.233.38, 27027, AirLink Internet Services, US
64.16.190.213, 7029, Windstream Communications Inc, US
38.106.98.31, 174, Cogent Communications, US
104.159.200.10, 20115, Charter Communications, US
50.249.245.46, 7922, Comcast Cable Communications, LLC, US

Headers x-mailer:
Apple Mail (2.2098)
iPhone Mail (8C148)
iPhone Mail (12A366)
iPhone Mail (13E238)
Apple Mail (2.936)

Helo:
idealofficeinc[.]com

Domains:
hxxp://dryerventwizarduniversity[.]info
hxxp://dryerventwizarduniversity[.]net
hxxp://wizardschedule[.]com
hxxp://dryerventwizard[.]net
hxxp://joindvw[.]com
hxxp://thedryerventwizard[.]com
hxxp://dryerventwizarduniversity[.]org
hxxp://mywizardschedule[.]com
hxxp://dryerventwizarduniversity[.]co
hxxp://thedryerventwizard[.]net
hxxp://dryerventwizard[.]org
hxxp://getlintout[.]co
hxxp://thedryerventwizard[.]co
hxxp://dryerventwizarduniversity[.]mobi

20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizarduniversity[.]info/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizarduniversity[.]net/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://wizardschedule[.]com/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizard[.]net/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://joindvw[.]com/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://thedryerventwizard[.]com/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizarduniversity[.]org/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://mywizardschedule[.]com/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizarduniversity[.]co/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://thedryerventwizard[.]net/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizard[.]org/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://getlintout[.]co/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://thedryerventwizard[.]co/, United States
20180712, 35.234.82.29, AS15169, Google LLC, hxxp://dryerventwizarduniversity[.]mobi/, United States

Name: invoice_286882.doc
MD5: 2d75b2492f7572b06f3632d58f9e2281
SHA1: 1cbb3044dd522f9dd7415e09bafc5c634f62d276
SHA256: 264746348d59b1cfc6c68e5ef741a374c9deaa6f1e02e138aa588f36631b4c0e
File type: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: Admin, Template: Normal.dotm, Last Saved By: win7home, Revision Number: 239, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:38:00, Create Time/Date: Tue Mar 20 11:47:00 2018, Last Saved Time/Date: Wed Jul 11 12:11:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 20, Security: 0
File size: 185500

https://www.virustotal.com/#/file/0b1a825305ee63f51e5a12250689af366ea095dcbc823230c8e306a92dbdbc66/relations

D: 46.254.18.55 POST - thetsaguco[.]com/d2/about.php (Pony checkin)
D: 46.254.18.55 POST - thetsaguco[.]com - /mlu/forum.php (Pony checkin)
D: 192.240.163.10 GET - caymanstructuralgroup[.]ky/wp-content/plugins/sitewit/3
D: 192.240.163.10 GET - caymanstructuralgroup[.]ky/wp-content/plugins/sitewit/2
D: 192.240.163.10 GET - caymanstructuralgroup[.]ky/wp-content/plugins/sitewit/1
D: 46.254.18.55 POST - thetsaguco[.]com/4/forum.php

https://www.virustotal.com/#/ip-address/192.240.163.10
https://www.virustotal.com/#/ip-address/46.254.18.55

image.png1084×306 22.8 KB

image.png1086×283 17 KB

image.png955×364 19.5 KB