Read on Twitter
#malspam detected in-the-wild by @BitDamSecurity
sha1: 1bcd89984728250924bb51d01550a79819512d6d
missed by O365 ATP(TTD:8h)
Live: https://bitdam.com/email_blind_spots_study/
#ThreatIntel #infosec #IOC
@malwrhunterteam
@JAMESWT_MHT
@reecdeep
@ActorExpose
@abuse_ch
sha1: 1bcd89984728250924bb51d01550a79819512d6d
missed by O365 ATP(TTD:8h)
Live: https://bitdam.com/email_blind_spots_study/
#ThreatIntel #infosec #IOC
@malwrhunterteam
@JAMESWT_MHT
@reecdeep
@ActorExpose
@abuse_ch
docx has a rels getting a "wbk" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.
RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated
![docx has a rels getting a "wbk" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated](https://pbs.twimg.com/media/EWPJGhrXgAAhqUa.png "docx has a rels getting a \"wbk\" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated")
![docx has a rels getting a "wbk" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated](https://pbs.twimg.com/media/EWPJZFRWkAIIhxM.png "docx has a rels getting a \"wbk\" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated")
![docx has a rels getting a "wbk" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated](https://pbs.twimg.com/media/EWPJyC0WoAUQiOl.png "docx has a rels getting a \"wbk\" file from http://office-archive-index[.]com. The wbk is actually an rtf. The website is still active btw.RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated")
RTF file (43d930ddf0af21abde85d14d70c689599b8954ad) execute a powershell to run putin.vbs. The vbs is heavily obfuscated
vbs is downloading attack.jpg, which is a very long string, which decodes into a powershell command that installs the malware using InstallUtil.exe.
