Ya done messed up, A-A-Ron!

So, after a long day of ripping apart fraudulent emails and maldocs and all sorts of goodies, I checked my personal email, only to find this:

Screen Shot 2018-02-12 at 5.46.52 PM

Simmee@pppstaffing[.]com is sending me an invoice, huh? And it’s hosted on a link that has nothing to do with pppstaffing[.]com; seems legit, I know, but I’m paranoid, so I’m going to “trust, but verify.”

So, Viper does a whole lot things, but among those things is email analysis. It does this pretty well. In this case, it looks like my invoice was actually sent by sumit[.]kumar@braintreeus[.]com; Sad, I know. I really wanted to trust this guy. I was ready to break out my checkbook!

Well, now I’m mad. As the title says: Ya done messed up, A-A-Ron!

Alright then…next step…click the link! Well…unfortunately, it’s already been taken down, but there is still hope!

Screen Shot 2018-02-12 at 5.49.03 PM

So…the files are on VirusTotal…low detection rate, and just appeared today. Hmm…well, thanks to the magic of VirusTotal Intelligence, I can download them. So…I did.

Screen Shot 2018-02-12 at 6.03.32 PM

So, both documents are CDFv2 (Structured Storage) files. Cool.

Screen Shot 2018-02-12 at 6.05.33 PM

Unfortunately, it looks like the URLs have been obfuscated. Now…yes, I could deobfuscate this. Given enough time, most anyone can…and also, screw that. I’ll always push the button and see what happens, if it’s an option. In this case, even that didn’t need to happen, though, as both files have already been bahaviorally analyzed by Hybrid Analysis. All I have to do is read on

Screen Shot 2018-02-12 at 6.09.51 PM

Oh, look…there’s the downloaded executable. My wife tells me this post has gone on too long, and that if I want to analyze the executable, I should do that in another post…so I will, but not right now.

In closing this post, allow me to leave you with a short blocklist:

  • *@pppstaffing.com
  • *@braintreeus.com
  • Pretty much anything that claims to be/have/link to/otherwise references an invoice, ACH, or wire transfer.

Article Link: https://biebermalware.wordpress.com/2018/02/12/ya-done-messed-up-a-a-ron/