Correspondence
Sender
Subject
Attachment Name
Attachment Hash (with VirusTotal link)
clemke[@]e-chuppah[.]com
RE: New Borrowers
AK.pdf
9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32
aschaden[@]shopbarbay[.]com
FW: Check Image Request
NI.pdf
93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc
wtremblay[@]aaofoo[.]com
RE: Cashing Third Party Checks
CT.pdf
77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2
se[.]jursnaeb[@]adyasiddhi[.]com
RE: Hello--
TX.pdf
3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045
This particular campaign came from various senders. All attachment names were similar to a two-letter US state abbreviation format.
File Analysis
TX.pdf was also uploaded to Hybrid Analysis for further inspection, here. The PDF contained a link to download the next stage, an encrypted ZIP:
The second stage downloads PowerShell which then attempts to enumerate a list of compromised domains in order to continue. The sample that I tested had all dead links and did not proceed to the PowerShell script download however it matched similar behavior to this, QBot banker delivered through business correspondence | Securelist.
Indicators
SHA256
9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32
93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc
77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2
3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045
URLs
hxxps://vcallc[.]us/ines/ines[.]php (First Stage, ZIP Dropper)