DHL Malspam Campaign Delivering Malicious Doc - 2018-07-05

Cedalec · July 6, 2018, 1:19am

Timestamps(between):
2018-07-05T18:48:53
2018-07-05T17:06:41

’From’ address:
DHL Express. <dhl@sandbmachine[.]com>
DHL Inc… <dhl@sandbmachine[.]com>

Subject lines
You have a package on it’s way
You have a package on it’s way to you from DHL
You have a shipment on it’s way from DHL
You have a package on it’s way from DHL
You have a package coming to you

Sender IP and GEO:
173.165.129.137 7922 Comcast Cable Communications LLC US
66.32.38.41 6983 Earthlink Inc. US
64.237.31.210 30036 Mediacom Communications Corp US
70.89.79.149 7922 Comcast Cable Communications LLC US
94.77.238.131 47794 Etihad Atheeb Telecom Company SA

Headers x-mailer:
Apple Mail (2.1508)
Apple Mail (2.1878.6)
iPhone Mail (12A405)
iPhone Mail (13F68)

Helo:
sandbmachine[.]com

Download domains
hxxp://acmbibletruth[.]org
hxxp://beyondschoolbells[.]com
hxxp://getthelintout[.]ca
hxxp://dryerventwizardsuck[.]com
hxxp://preventionstore[.]org
hxxp://dryerventwizardsuck[.]co
hxxp://nebraskaassociationofinfantmentalhealth[.]org
hxxp://dryerventwizardsucks[.]info
hxxp://bigboxdollarstores[.]com
hxxp://dvwtechtraining[.]net
hxxp://getthelintout[.]co
hxxp://dryerventwizardsuck[.]info
hxxp://dryclothessafehomes[.]com
hxxp://bigboxdollar[.]com
hxxp://dollarandmorestores[.]com
hxxp://ownapartystore[.]com
hxxp://libertydollarstores[.]com
hxxp://suezventures[.]com
hxxp://alexzeiler[.]com
hxxp://vetoppsus[.]com
hxxp://dryerventwizardsucks[.]ca

Host details:
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://acmbibletruth[.]org, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://beyondschoolbells[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://getthelintout[.]ca, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryerventwizardsuck[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://preventionstore[.]org, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryerventwizardsuck[.]co, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://nebraskaassociationofinfantmentalhealth[.]org, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryerventwizardsucks[.]info, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://bigboxdollarstores[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dvwtechtraining[.]net, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://getthelintout[.]co, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryerventwizardsuck[.]info, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryclothessafehomes[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://bigboxdollar[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dollarandmorestores[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://ownapartystore[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://libertydollarstores[.]com, Russia
20180705, 184.168.221.55, AS26496, GoDaddy.com, LLC, hxxp://suezventures[.]com, United States
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://alexzeiler[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://vetoppsus[.]com, Russia
20180705, 95.213.236.80, AS49505, OOO Network of data-centers Selectel, hxxp://dryerventwizardsucks[.]ca, Russia

Note: When the files were downloaded it appears they were coming from 5.188.41.114 as observed here https://www.virustotal.com/#/ip-address/5.188.41.114 and https://www.virustotal.com/ui-public/index.html#/domain/suezventures.com. https://community.riskiq.com/search/suezventures.com is now pointing to 184.168.221.61 at GoDaddy.

https://community.riskiq.com/search/95.213.236.80
https://www.virustotal.com/#/ip-address/95.213.236.80
https://www.virustotal.com/ui-public/index.html#/ip-address/184.168.221.61

Downloaded doc:
Name: invoice_263551.doc
MD5: 2ac5ec90abd9dd7dd8212f2e68ea5466
SHA1: c1ea2de0c6ef8fb79640a375c6e56048eb059130
SHA256: 64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: Admin, Template: Normal.dotm, Last Saved By: win7home, Revision Number: 210, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:44:00, Create Time/Date: Wed Mar 21 11:47:00 2018, Last Saved Time/Date: Thu Jul 5 15:38:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 20, Security: 0
File size: 230400

https://www.hybrid-analysis.com/sample/64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c/5b3eb8b37ca3e16bd9770544
https://www.virustotal.com/#/file/64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c/detection