NOTE: The domains are now resolving to 85.119.150.89 but when the payloads were available they were resolving to 95.213.237.64, see https://www.virustotal.com/ui-public/index.html#/ip-address/95.213.237.64. Also see DHL Malspam Campaign Delivering Malicious Doc - 2018-07-05 which changed IPs later in the day.
Timestamps:(between)
2018-07-09T14:54:50
2018-07-09T20:10:10
’From’ address:
“HelloFax” <hellofax@abramscpa[.]com>
“HelloFax Inc.” <hellofax@abramscpa[.]com>
Subject lines
Welcome to HelloFax, Here is Your Fax
HelloFax, Someone Sent You a Fax
HelloFax, Here is Your Fax
Welcome to HelloFax, Someone Sent You a Fax
Sender IP and GEO:
23.30.54.182, 7922, Comcast Cable Communications, LLC, US
131.239.15.142, 14985, Veroxity Technology Partners, Inc., US
24.12.65.191, 7922, Comcast Cable Communications, LLC, US
64.132.127.25, 3549, Level 3 Communications, Inc., US
146.135.9.27, 5778, Embarq Corporation, US
91.140.247.82, 3225, Gulfnet Kuwait, KW
67.186.172.133, 7922, Comcast Cable Communications, LLC, US
174.76.140.74, 22773, Cox Communications Inc., US
98.211.84.142, 7922, Comcast Cable Communications, LLC, US
173.165.126.46, 7922, Comcast Cable Communications, LLC, US
184.67.195.30, 6327, Shaw Communications Inc., CA
72.19.32.58, 25840, Cascade Access, LLC, US
96.85.23.198, 7922, Comcast Cable Communications, LLC, US
73.249.242.93, 7922, Comcast Cable Communications, LLC, US
192.171.200.46, 14775, Ken-Tenn Wireless LLC, US
Headers x-mailer:
iPad Mail (11D257)
iPhone Mail (13E238)
iPad Mail (13B143)
iPad Mail (11D169b)
iPhone Mail (12H143)
iPad Mail (10B329)
Apple Mail (2.1084)
iPhone Mail (12A366)
iPad Mail (13C75)
Apple Mail (2.2098)
iPad Mail (13E237)
Apple Mail (2.1283)
Apple Mail (2.3112)
Helo:
abramscpa[.]com
Download domains:
hxxp://dryerventwizardcanada.biz
hxxp://altilium.com
hxxp://getlintout.biz
hxxp://getthelintout.info
hxxp://pbtmail.net
hxxp://pbtmail.com
hxxp://thedryerventwizard.biz
hxxp://thedryerventwizard.ca
hxxp://wegetthelintout.net
hxxp://altilium.net
hxxp://wegetthelintout.ca
hxxp://nsbacknutdoms11war.com
hxxp://eeaglelifebbtwoz.com
Host Details:
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://dryerventwizardcanada.biz, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://altilium.com, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://getlintout.biz, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://getthelintout.info, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://pbtmail.net, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://pbtmail.com, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://thedryerventwizard.biz, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://thedryerventwizard.ca, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://wegetthelintout.net, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://altilium.net, Russia
20180709, 85.119.150.89, AS35173, Academinform JSC, hxxp://wegetthelintout.ca, Russia
https://www.virustotal.com/ui-public/index.html#/ip-address/95.213.237.64
Downloaded doc:
Name: invoice_263551.doc
MD5: 2ac5ec90abd9dd7dd8212f2e68ea5466
SHA1: c1ea2de0c6ef8fb79640a375c6e56048eb059130
SHA256: 64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: Admin, Template: Normal.dotm, Last Saved By: win7home, Revision Number: 210, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:44:00, Create Time/Date: Wed Mar 21 11:47:00 2018, Last Saved Time/Date: Thu Jul 5 15:38:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 20, Security: 0
File size: 230400
https://www.hybrid-analysis.com/sample/64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c/5b3eb8b37ca3e16bd9770544
https://www.virustotal.com/#/file/64947da526e2042eb55666f4ef969f7b3d6e7cf07c37e212031800575568862c/detection