Monday, April 24, 2017

Scan Data (VIRUS)

Number of images: 1
Attachment File Type: PDF

Description *

File analysis :

OPEN : Scan_*.pdf
SHA256 : d1efbca78f8847005a369ec24155723ccd257e58cd282429cc04f76f898743b7
RESULT : FILE IS A VIRUS

Virus analysis :

Antiy-AVL : Trojan[Downloader]/MSWord.Agent.bgy
Baidu : Multi.Threats.InArchive
CAT-QuickHeal : O97M.Downloader.AJI
ClamAV : Doc.Dropper.Dridex-6260340-0
Fortinet : WM/TrojanDownloader.7A51!tr
McAfee : W97M/Downloader.brv
McAfee-GW-Edition : BehavesLike.PDF.Trojan.qb
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Qihoo-360 : virus.office.obfuscated.1
Rising : Heur.Macro.Downloader.d (cloud:UJEmOxwGVqO)
TrendMicro : HEUR_VBA.O2
ZoneAlarm by Check Point : HEUR:Trojan-Downloader.Script.Generic

Email analysis :

NOTE : Received : from static.vnpt.vn (unknown [14.164.139.179])
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1)
NOTE : Gecko/20110929 Thunderbird/7.0.1
NOTE : Received : from gra-PC (unknown [114.31.8.46])


NOTE : Street view of 114.31.8.46


IP :

  • 114.31.8.46
  • 14.164.139.179

Friday, November 18, 2016

RE: shipping done

We shipped your crap.
Here s the tracking invoice :
https://www.ups.com/?tracking_invoice=219371293129312& action=download

Let us know when it arrives.
Thanks

Phishing analysis :

CLICK : https://www.ups.com/?tracking_invoice=219371293129312& action=download
OPEN : http://invoice-portal.com/invoices/get.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
RESULT : Download a file called : inv11172016.doc

File analysis :

ESET-NOD32 : VBA/Kryptik.T
F-Secure : Trojan:W97M/Nastjencro.A
Fortinet : WM/Agent.5110!tr
Kaspersky : HEUR:Trojan.Script.Agent.gen
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Panda : O97M/Downloader 20161117
Qihoo-360 : virus.office.gen.75
Symantec : W97M.Downloader
TrendMicro : W2KM_HANCITOR.YYSXC
TrendMicro-HouseCall : W2KM_HANCITOR.YYSXC

inv11172016.doc is a virus.

Email analysis :

NOTE : Return-Path : < rm@restaurantcocotte.com >
NOTE : 162.252.121.130 ()
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : iPad Mail (11D169)
NOTE : Message-Id : < *@restaurantcocotte.com >
NOTE : Content-Type : text/html; charset="utf-8"
NOTE : Received : from unknown (HELO restaurantcocotte.com) (162.252.121.130)


NOTE : RE: shipping done

Friday, July 24, 2015

Inquiry

Dear Sir,

Refers to the new order raised to your company,
Attached please find the order and swift copy of the last shipment.
Kindly open the PDF file to view details

Regards
Thanks & Regards,

Michail Harik
CMT executive – Platinum Team
Aramex Doha – Doha, Qatar
Tel +974 44200193
aramex.com

pr.no.567890.docx

File analysis :

File : pr.no.567890.docx
SHA256 : dbdb40864695b3e8ffd980f051d829b38fb38bbd93711cfb2188165cc58c0ec9
NOTE : File pr.no.567890.docx is a virus

AVG : PSW.Generic12.CAPW
Ad-Aware : Trojan.GenericKD.2591074
Arcabit Trojan.Generic.D278962
Avast : MSIL:Zbot-Z [Trj]
Avira : TR/Dropper.MSIL.173869
BitDefender : Trojan.GenericKD.2591074
DrWeb : Trojan.PWS.Siggen1.39434
ESET-NOD32 : a variant of MSIL/Injector.KXP
Emsisoft : Trojan.GenericKD.2591074 (B)
F-Secure : Trojan.GenericKD.2591074
Fortinet : MSIL/Injector.KSL!tr
GData : Trojan.GenericKD.2591074
Ikarus : Trojan.MSIL.Injector
Kaspersky : Trojan-Dropper.Win32.Sysn.batm
McAfee : PWS-FCDG!4A71EF2B2FA1
McAfee-GW-Edition : PWS-FCDG!4A71EF2B2FA1
MicroWorld-eScan : Trojan.GenericKD.2591074
Microsoft : Trojan:Win32/Dynamer!ac
Panda : Trj/CI.A
Symantec : Infostealer.Limitail

Email analysis :

NOTE : info@paltinum.com
NOTE : X-Sender-Id : nisakorn@thai-nichi.com
NOTE : X-Msmail-Priority : Normal
NOTE : X-Mimeole : Produced By Microsoft MimeOLE V6.00.2600.0000
NOTE : Mime-Version : 1.0
NOTE : X-Priority : 3
NOTE : X-Mailer : Microsoft Outlook Express 6.00.2600.0000
NOTE : client-ip=173.203.6.144;
NOTE : Received : from smtp144.ord.emailsrvr.com
NOTE : (smtp144.ord.emailsrvr.com. [173.203.6.144])
NOTE : Received : from smtp27.relay.ord1a.emailsrvr.com
NOTE : (localhost.localdomain [127.0.0.1]) by smtp27.relay.ord1a.emailsrvr.com
NOTE : Received : by smtp27.relay.ord1a.emailsrvr.com
NOTE : (Authenticated sender: nisakorn-AT-thai-nichi.com)
NOTE : Received : from User ([UNAVAILABLE]. [66.76.199.160])


NOTE : by 0.0.0.0:25 (trex/5.4.2)
NOTE : Inquiry