The Journey Did Not Begin

So I started this blog about a year ago. I wrote one post, went on vacation, and never came back. Well, to be clear, I did return from vacation — somewhat unfortunately –, but I didn’t come back to the blog. Perhaps this will be a new beginning…

To reintroduce the blog, I figured I’d write a quick post about a rather unconvincing PayPal phish that I received today. Aside from the typical tell-tale spelling mistakes, the email addressed me by using an email address that doesn’t even belong to me:


Image 1. Is that your email address? If so, they are looking for you.

The email contains a Word document with some pretty poor English, and a not-so-enticing link suggesting that I “click here”. (I did not click here.) I generated an MD5 of the document and queried against VirusTotal, but didn’t get any matches. There didn’t seem to be any unique content in the doc that would cause different hashes across recipients, but who knows.

However, copying the URL from the link, I ran it through, and got a nice screenshot of a PayPal phish in German:


Of course, the link the the doc used a shortened URL, but urlscan is good enough to provide the un-shortened link. The long one has a couple of “DE” variables in it, so the phish may be geo-aware, and change languages based upon victim location. To confirm this, I ran a cURL command to get the response headers and redirects. Using a US-based VPN, the second hop shows that I’m US-based, so the urlscan query must have been initiated from a server in Germany.

The redirects also revealed an additional URL, which when queried against VirusTotal, reveals that the domain has been used in PayPal phishes since at least October 2018. I didn’t get any additional context from the first un-shortened URL, but pivoting off of the IP address, we get 72 additional domains, many of which are very similar, with DNS resolutions dating to 2019-03-27.

There are a lot more queries to do with the info uncovered thus far, but I’m tired and going to bed. So, here are the IOCs collected up to this point:

Sender email: slebew-2990706@jhaiyanegrikkomunikasimusik[.]com
Document Name: Doc-ID#789641.docx
Word Doc MD5: aa72aa3c42795cfa6aaf85bdf22d0942
Sender IP: 209[.]85[.]128[.]68 <– Gmail
Short URL: hxxp://x[.]co/6nilO
Un-Shortened URL: hxxps://confirms-limiteds-invaliddatassesure[.]aplikasimobilyberkelas[.]com/?_
Final URL: hxxps://href[.]li/?
SSL Cert: SHA-256 B7950BFE4EA4A869AA59398E694FFBB5D43D80AAAED0352D90B5570F724A8A8B
SHA-1 8FDEBCBD587BA0863C11275D8B71CA2B2F488186

There’s probably something I’m missing, but it will have to wait for another time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s