Analyzing some strange Spam/Phishing campaign on my XSOAR

Analyzing some strange Spam/Phishing campaign on my XSOAR

On my private email address I saw something suspicious, someone shared a Google Folder with me. Also there have been a lot of strange looking email addresses CCed. As I have received several emails after that one I thought it might be fun to dig a bit deeper… using Palo Alto Networks XSOAR of course.

I assume the phishing started after the breach at Wakanim (yes, I know) and has taken many different forms and shapes after that. Here is the first one:

How do they look like?

Basically all phishing emails come with the same look and feel:

Subject:v nob
Text:arur nl

A Subject with random character blocks, same goes for the message text and always a pdf attached.

Indicators

I found 13 emails in my spam folder, here are the Attachments:

"AllAttch": [
"aHjMe.pdf",
"bBrAX.pdf",
"gPwgB.pdf",
"LSrdb.pdf",
"rPQdX.pdf",
"MaHAC.pdf",
"Video_Annett_Walls_mg_nrwmpvnl.pdf",
"ulkbW.pdf",
"UIwzH.pdf",
"VpKEO.pdf",
"KCExo.pdf",
"ETmVG.pdf",
"ZYUEy.pdf"
],

And the subjects

"AllSub": [
"v nob",
"qfuw ymum",
"bqaz ihor",
"j fiv",
"x gen equz",
"g rat",
"Hello. It is Annett.",
"z jis",
"ftyd oxur",
"z kop uqoj",
"q wob",
"c nar",
"v foz"
],

As well as the senders (All email addresses have been reported to abuse). I did redact parts of the email addresses, as I am not really sure how GDPR thinks about phishing emails and sharing intelligence. Feel free to reach out to get the full list tough. You can also find all indicators on X-Force Exchange

"AllSender": [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
],

Finally, here are all the hashes (attachment and emails):

"AllSHA256": [
"1415b7bb7d99cd3be29fb0eff5bc3b17c163bdca9daacfa8b57421bd2b9098d5",
"82264f79ff6dbc01fd50da1a18f020e8aceaa3819ff94b8e382335cc82a855e4",
"d3ee4ab1c39d642b5d8c60abb3e178aad1392899941259ced04f3e20792cff9b",
"7c72e71cb18a01c77ee2dca1762488e03f097dc07d6cb5c92e4cdde32cea0b3c",
"9e2c99089054dc7178f7d05b3a0d4f33a11d9652bbceaa87ed120944735aaa8e",
"60a08c29e7dfd9f686dc8790ecbcc57d56ec45686fc9fd2a309173358a5ae70a",
"417d9c9d55a9383e109af2c89bab4ed592b75ef633fc33583de80b19bf44abb8",
"85ea67571820d6cbe4b727983cb605337e4a8ee0253e54bec59a1125306e2ca4",
"f6bd9902f17ec975f29b23bc2e9709902e664cdea780124bb2d5d1109c72db2c",
"78cff4b5cb6102477a6ac920dbad380cae14ecdc0db8fcc13e8d3ba025852514",
"01e407e4e3c078e507b801a0c92088a87e8b268aca862b1458cdeb4b1365458d",
"1eca3e7c572403353453c7fc45482627d05ec7059489f66c6ced9d9be232714c",
"fd6dca6b2200ec8829af61b1ee9180dd0b66d65195c6984cdb213a6023ce359f",
"17bce2326d246bfc9a0370113a29ae8af93b389cfa12ea705996a6b4c1685d07",
"54b395c3420cb78009426dda41ec82e5fc9e1ce77dbb0008f260db164bd080b8",
"165599a09c482adf8b7184a06f28da33ba9394a52ae0c10a9ef633b62522f74d",
"c21144b0715b76c3278042c680163cdb675cdb4eea67b68118def552d80cdb62",
"710745b461d50ff3dbffaa3309643a83dd1418bf44dabe20c3a1d3db97e38563",
"ddef75cf0be643afa0a426809f25a4c489d158b3e907bf96fc39585537178920",
"56bd7f24a95511c77df708080adcf25b7951212bb86735594b10da52e8642dd6",
"3df7532428bbdd1651717134e6fd2eacf8a0bdd8d91a63830a2d8c176f0cdc3a",
"bb2476272dd0a40e04656f6af2a898243a2f13ff1f0be0ef1e2b76326e14c119",
"e6008202c7548560bfa2ddd5c2f7af3e0e752daab77976e01bb81532afed7eff",
"ef67d5570e249e4835a4aea9634d0159b963038145173b5c71c66bc5877d083d",
"65f5f1a3bd227dc792059f3045f2e3036afd7d9f386e6b3ca4a89b6649d01294",
"65195d77de95023b01ed523251e7c8d020b2829e5e54bfc459f057a7e673c53e"
],

Happy hunting, leave a clap and let’s be excellent to each other.