Phishing: Jaff Ransomware campaign through PDF > DOCM
Phishing emails with PDF attachments that contain an embedded DOCM have been doing the rounds.
Decompressed DOCM:
Here's a list of known first stage URLs:
http://tiskr.com/f87346b http://julian-g.ro/f87346b http://phinamco.com/f87346b http://trans-atm.com/f87346b
http://panaceya-n.ru/77g643 http://geo-zamer.ru/77g643 http://bellevillenorfolkterriers.co.uk/77g643 http://etadjewellery.com/77g643 http://jisrcenter.com/77g643 http://villa31.com/77g643 http://taddboxers.com/77g643 http://demelkwegtuk.nl/77g643 http://ws.osenilo.com/77g643 http://kitchenandgifts.com/77g643 http://takipediliyoruz.com/77g643 http://enboite.be/77g643 http://prystel.com/77g643 http://biolume.nl/77g643 http://koreancars-club.ru/77g643 http://thegoldclubs.com/77g643 http://pgringette.ca/77g643
http://tutmacli.com/hHGFjd http://rooana.com/hHGFjd http://ppapmoozamiz.com/hHGFjd http://hrlpk.com/hHGFjd http://hncdc.org/hHGFjd http://dovahosting.com/hHGFjd http://boolas.com/hHGFjd http://bianshop.com/hHGFjd http://byydei74fg43ff4f.net/af/hHGFjd http://5hdnnd74fffrottd.com/af/hHGFjd http://sjffonrvcik45bd.info/af/hHGFjd http://fotografikum.com/hHGFjd http://dcfarbicka.sk/hHGFjd http://bizcleaning.co.uk/hHGFjd http://dsintergrated.com/hHGFjd http://vbplan.de/hHGFjd http://diasgroup.sk/hHGFjd http://ecbuyjp.com/hHGFjd http://urachart.com/hHGFjd http://ecuamiaflowers.com/hHGFjd http://energybalancecenter.nl/hHGFjd http://oyasinsaat.com.tr/hHGFjd
No comments: