On 7 Aug 2018, at 15:31 (-0400), Martin Gregorie wrote:
On Tue, 2018-08-07 at 14:09 -0400, Alex wrote:
Anyone have ideas for viewing inside of an XPS file or otherwise
blocking phish attempts with xps attachments?
https://pastebin.com/KtMnNPAg
I don't think this is validly base64 encoded. I chopped it down to
just
the supposed base64 text and fed it through the Linux base64 decode
utility, which gave up and said it isn't valid base 64 after decoding
about 150 characters.
Maybe check how you did that. Using the mimeexplode tool from the Perl
MIME-Tools package:
# mimeexplode /tmp/xpsspam
Message: msg0 (/tmp/xpsspam)
Part: msg0/msg-53100-1.txt (text/plain)
Part: msg0/msg-53100-2.html (text/html)
Part: msg0/Remittance Copy.xps (application/octet-stream)
# ls -lAR msg0/
total 720
-rw-r--r-- 1 root wheel 354446 Aug 7 16:49 Remittance Copy.xps
-rw-r--r-- 1 root wheel 336 Aug 7 16:49 msg-53100-1.txt
-rw-r--r-- 1 root wheel 4629 Aug 7 16:49 msg-53100-2.html
# file msg0/Remittance\ Copy.xps
msg0/Remittance Copy.xps: Zip archive data, at least v2.0 to extract
# zipinfo msg0/Remittance\ Copy.xps
Archive: msg0/Remittance Copy.xps 354446 bytes 18 files
-rw---- 4.5 fat 1063 b- defS 1-Jan-80 00:00 [Content_Types].xml
-rw---- 4.5 fat 567 b- defS 1-Jan-80 00:00 _rels/.rels
-rw---- 4.5 fat 3566 b- stor 1-Jan-80 00:00
docProps/thumbnail.jpeg
-rw---- 4.5 fat 564 b- defS 1-Jan-80 00:00 docProps/core.xml
-rw---- 4.5 fat 287 b- defS 1-Jan-80 00:00
Documents/1/_rels/FixedDoc.fdoc.rels
-rw---- 4.5 fat 320 b- defS 1-Jan-80 00:00 FixedDocSeq.fdseq
-rw---- 4.5 fat 55552 b- defN 1-Jan-80 00:00
Resources/31AB0740-4E67-23ED-1861-906DB2445D30.odttf
-rw---- 4.5 fat 61580 b- defN 1-Jan-80 00:00
Resources/36F32615-19BB-2EEA-BD7D-5051E214FE53.odttf
-rw---- 4.5 fat 266980 b- defN 1-Jan-80 00:00
Resources/128F6B1F-5739-13F9-6E4A-207A4466DE12.odttf
-rw---- 4.5 fat 1346 b- defS 1-Jan-80 00:00
Documents/1/Pages/_rels/1.fpage.rels
-rw---- 4.5 fat 282 b- defS 1-Jan-80 00:00
Documents/1/FixedDoc.fdoc
-rw---- 4.5 fat 4990 b- defN 1-Jan-80 00:00
Documents/1/Structure/Fragments/1.frag
-rw---- 4.5 fat 50574 b- defN 1-Jan-80 00:00
Documents/1/Pages/1.fpage
-rw---- 4.5 fat 7042 b- stor 1-Jan-80 00:00
Resources/Images/image_0.png
-rw---- 4.5 fat 290 b- stor 1-Jan-80 00:00
Resources/Images/image_1.png
-rw---- 4.5 fat 481 b- stor 1-Jan-80 00:00
Resources/Images/image_2.png
-rw---- 4.5 fat 386 b- defN 1-Jan-80 00:00
Documents/1/Structure/DocStructure.struct
-rw---- 4.5 fat 527552 b- defN 1-Jan-80 00:00
Resources/01EC0564-4D18-6AF6-270E-667DA377AC79.odttf
18 files, 983422 bytes uncompressed, 350592 bytes compressed: 64.3%
The payload is not in that XPS document, which is just a picture that
claims to be an Office365 document with a big "Open File" button. That
region is linked to a URL (MUNGED: hxxps://ssllink(dot)me/1sta) which at
present redirects to a Brazilian domain which yields a 500 reply with a
"bandwidth exceeded" message. Presumably the payload used to be there...
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole