This week, I’m teaching FOR610 in Manchester, and while my students are busy resolving some challenges, I’m looking at my hunting results from the previous days. I found an interesting sample. The file was delivered via an email with a URL pointing to a well-known file-sharing service: hxxps://www[.]Mediafire[.]com/file/o3m15ydxnhlm9w0/New+Purchase+Order+pdf.tgz/file. The file is not available anymore, but I was able to find it back on VirusTotal: “New Purchase Order pdf.tgz” (SHA256:7f351b32e6209496ef59c511dffaf9312508b53e476b1e77171af3d433b94087[1]) with a low score of 3/54.
Article Link: https://isc.sans.edu/diary/rss/30352