Malicious email .ics attachments

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Connections established to many domains including crypto sites and windows updates URL which looks fake.

Windows update http:// ctldl. windowsupdate. com URL drops cab file executed by run32dll.exe and run32dll.exe establish connection to three different IP address.

  • 93[.]184[.]221[.]240
  • 2[.]18[.]97[.]123
  • 2[.]16[.]164[.]49

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

  • ngsl7[.]bemobtrcks [.]com
  • receivepayment [.] fun
  • ctldl [.] windowsupdate [.] com
  • bitcoinwallet [.] receivepayment [.] xyz


MD5: 264D98086A88D5A57E917EFBCFC36F87

MD5: 4187D230F6D850024E8B678B783F4464

MD5: F1C401645FAD5274AB7B86857E4CAF84


  • These are cyrpto related phishing emails.
  • If such emails (.ics attached) from unknow sender, better to ignore.


Article Link: Malicious email .ics attachments – Malware Analysis