Xploit + Trojan?

[RoboMan]

Got some nice e-mail today.

From: Dropbox. <mark.opdyke@pepsico.com>
Date: Wednesday, July 19, 2017
Subject: Pdf_file333 _invoice(2) Received
To: xxxx <xxxx>



Hi

You have Receieved An invoice uploaded via dropbox

Due to large size. Access Your Invoice Here

Thanks,

Dropbox!

Definitely scam. On an isolated browser i clicked the link, which drove me here:

hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html

Definitely scam. Looks like xploit method to get your credentials. I used fake ID and password and of course, it redirected me to the "download" as if my login authentication succeeded. The following download link was created.

hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html

Anybody has an active isolated enviroment as to test what kind of malware this is? I'm setting my VM soon when i have a decent internet connection u.u

 

[ispx]

virus total :

Scan report for https://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html at 2017-07-19 21:55:46 UTC - VirusTotal

 

[RoboMan]

virus total :

Scan report for https://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html at 2017-07-19 21:55:46 UTC - VirusTotal

Weird right? I also used VT and it only flags 2 AV on detection....

Scan report for https://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html at 2017-07-19 21:33:06 UTC - VirusTotal


EDIT: @ispx sorry i re-edited my original post, the download link i included was wrong.

 

[ispx]

opera detected it, neat.

 

[509322]

Got some nice e-mail today.



Definitely scam. On an isolated browser i clicked the link, which drove me here:

hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/index.html

Definitely scam. Looks like xploit method to get your credentials. I used fake ID and password and of course, it redirected me to the "download" as if my login authentication succeeded. The following download link was created.

hxxps://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html

Anybody has an active isolated enviroment as to test what kind of malware this is? I'm setting my VM soon when i have a decent internet connection u.u

Web content virus scan
Address: hxxp://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html
Virus: Script.Packed.Agent.F@susp (Engine B)
Status: Access denied.
Engines: Engine A: AVA 25.13458, Engine B: GD 25.10036

 

[RoboMan]

Web content virus scan
Address: hxxp://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html
Virus: Script.Packed.Agent.F@susp (Engine B)
Status: Access denied.
Engines: Engine A: AVA 25.13458, Engine B: GD 25.10036

Seems like ransomware to me

 

[509322]

Weird right? I also used VT and it only flags 2 AV on detection....

Scan report for https://topdunet.fr/XTDDROPSERES/documentsharepdfEN/documentsharepdffile/google/phonever.html at 2017-07-19 21:33:06 UTC - VirusTotal


EDIT: @ispx sorry i re-edited my original post, the download link i included was wrong.

Blacklisting a webpage (URL) is not the same as scanning and blacklisting the webpage content.

 

[RoboMan]

Blacklisting a webpage (URL) is not the same as scanning and blacklisting the webpage content.

Yeah true that. I used VT in order to see if the antivirus scanners detected the download link as a malicious link. Not the actual payload.

 

[509322]

Seems like ransomware to me

Probably not. Just suspicious webpage script.

Look here at signatures assigned to support webpage hjacks or "ransom" pages:

• Exploit.SWF_c.CAL
• SWF/Trojan.YWCL-5
• Exploit:SWF/Netis
• JS.Redirector.F
• Trojan.HTML.k
• Script.Packed.Agent.F@susp
• Ransom:JS/FakeBsod.A
• Uds.Dangerousobject.Multi!c

ransom does not mean ransomeware.

 

[RoboMan]

Probably not. Just suspicious webpage script.

Look here at signatures assigned to support webpage hjacks or "ransom" pages:

• Exploit.SWF_c.CAL
• SWF/Trojan.YWCL-5
• Exploit:SWF/Netis
• JS.Redirector.F
• Trojan.HTML.k
• Script.Packed.Agent.F@susp
• Ransom:JS/FakeBsod.A
• Uds.Dangerousobject.Multi!c

ransom does not mean ransomeware.

Thanks for the share. I wish i had my VM set up...

 

[509322]

Yeah true that. I used VT in order to see if the antivirus scanners detected the download link as a malicious link. Not the actual payload.

Not the payload, the actual webpage content loaded into the browser. I guess you can call that a payload of a sort. Using the terminology payload is not always the technically most accurate. Lots of people have different definition of what constitutes a payload.

 

[WinXPert]

 

[RoboMan]

View attachment 160118

lmao this is some next level scam

 

[WinXPert]

lmao this is some next level scam

Don't have a spare email to use. Plus all my mobile numbers are already tied in to an email.

 

[SHvFl]

I have so many of these in my spam folder. If i was actually getting so many amazon, fedex and google messages i would be both rich and popular.