Random extraction of IOCs from OSINT phishing email.

on

Malware Sample Analysis

Extracted Phishing IOCs

  • File Hash (SHA-256): 2968fbf04cf02ac4fd6822acafc2156caab61da07bd56b584eaa36ad34445124
  • Sender Email: [email protected]
  • Malicious URLs:
    • https://e6bfb36a0bc404b0e09b3f21bdad1bf7.repcougel.com/cxR0/#Z29yYWtzQG51bWJlcnNvbmx5LmNvbQ==
    • https://e579fa5acfa22b4122f7db1e9aab5a85.repcougel.com/cxR0/#Z29yYWtzQG51bWJlcnNvbmx5LmNvbQ==
  • Associated Domains:
    • repcougel.com
    • blegabouc.com
    • dilatede.ru
    • aquapluscr.com
    • outsolsecure.com

Phishing Email Overview

The phishing email was unsophisticated, purporting to contain an "Office closure document" in PDF format. The PDF's hash (2968fbf04cf02ac4fd6822acafc2156caab61da07bd56b584eaa36ad34445124) was flagged for the first time on VirusTotal when I uploaded it.





URL Analysis and Behavioral Observations

  • URL from PDF:
    The initial URL extracted via VirusTotal's behavioral analysis redirected to a phishing page hosted on https://e6bfb36a0bc404b0e09b3f21bdad1bf7.repcougel.com, protected by Cloudflare. The page redirected me to Etsy. When navigating instead by clicking the link in the PDF I was redirected through https://e579fa5acfa22b4122f7db1e9aab5a85.repcougel.com and landed on an Office 365 phishing page.






  • JavaScript Analysis:
    Additional malicious URLs were discovered within the JavaScript code, used for POST requests on the phishing landing page.



  • DNS Analysis via Any.Run:

    • e579fa5acfa22b4122f7db1e9aab5a85.repcougel.com
      • IPs: 188.114.96.3, 188.114.97.3 (Cloudflare)
    • 586zurbfefsvmf9naz1safkrvpkvdo6sir6lxprnljluzkgk1sfiqzszv.blegabouc.com
      • IPs: 188.114.96.3, 188.114.97.3 (Cloudflare)
    • elwzrbunkbbvn2q5gtw38kop09ghgdgbtabxw5ftsmljmebx0adw.dilatede.ru
      • IPs: 104.21.24.174, 172.67.219.199 (Cloudflare)

All identified domains appear to be utilizing Cloudflare's proxy services to obscure their true origins.

Email Header Analysis

  • Email Encoding: UTF-8 encoded "From" and "Subject" lines
  • Authentication Checks:
    • DMARC: Passed with both SPF and DKIM aligned.

  • Mail Server: Uncommon server noted, indicating possible abuse or compromise.

Conclusion

This phishing campaign demonstrates a classic Office 365 credential harvesting tactic, leveraging Cloudflare to obscure the malicious infrastructure. Continued monitoring and blocking of the identified IOCs are recommended to mitigate potential threats.

Comments

Post a Comment