Re: Phish with xps attachment

Tue, 07 Aug 2018 14:28:34 -0700 

On 7 Aug 2018, at 15:31 (-0400), Martin Gregorie wrote:


On Tue, 2018-08-07 at 14:09 -0400, Alex wrote:


Anyone have ideas for viewing inside of an XPS file or otherwise
blocking phish attempts with xps attachments?

https://pastebin.com/KtMnNPAg
I don't think this is validly base64 encoded. I chopped it down to just 
the supposed base64 text and fed it through the Linux base64 decode
utility, which gave up and said it isn't valid base 64 after decoding
about 150 characters.
Maybe check how you did that. Using the mimeexplode tool from the Perl MIME-Tools package: 

# mimeexplode /tmp/xpsspam
Message: msg0 (/tmp/xpsspam)
    Part: msg0/msg-53100-1.txt (text/plain)
    Part: msg0/msg-53100-2.html (text/html)
    Part: msg0/Remittance Copy.xps (application/octet-stream)
# ls -lAR msg0/
total 720
-rw-r--r--  1 root  wheel  354446 Aug  7 16:49 Remittance Copy.xps
-rw-r--r--  1 root  wheel     336 Aug  7 16:49 msg-53100-1.txt
-rw-r--r--  1 root  wheel    4629 Aug  7 16:49 msg-53100-2.html
# file msg0/Remittance\ Copy.xps
msg0/Remittance Copy.xps: Zip archive data, at least v2.0 to extract
# zipinfo msg0/Remittance\ Copy.xps
Archive:  msg0/Remittance Copy.xps   354446 bytes   18 files
-rw----     4.5 fat     1063 b- defS  1-Jan-80 00:00 [Content_Types].xml
-rw----     4.5 fat      567 b- defS  1-Jan-80 00:00 _rels/.rels
-rw---- 4.5 fat 3566 b- stor 1-Jan-80 00:00 docProps/thumbnail.jpeg 
-rw----     4.5 fat      564 b- defS  1-Jan-80 00:00 docProps/core.xml
-rw---- 4.5 fat 287 b- defS 1-Jan-80 00:00 Documents/1/_rels/FixedDoc.fdoc.rels 
-rw----     4.5 fat      320 b- defS  1-Jan-80 00:00 FixedDocSeq.fdseq
-rw---- 4.5 fat 55552 b- defN 1-Jan-80 00:00 Resources/31AB0740-4E67-23ED-1861-906DB2445D30.odttf -rw---- 4.5 fat 61580 b- defN 1-Jan-80 00:00 Resources/36F32615-19BB-2EEA-BD7D-5051E214FE53.odttf -rw---- 4.5 fat 266980 b- defN 1-Jan-80 00:00 Resources/128F6B1F-5739-13F9-6E4A-207A4466DE12.odttf -rw---- 4.5 fat 1346 b- defS 1-Jan-80 00:00 Documents/1/Pages/_rels/1.fpage.rels -rw---- 4.5 fat 282 b- defS 1-Jan-80 00:00 Documents/1/FixedDoc.fdoc -rw---- 4.5 fat 4990 b- defN 1-Jan-80 00:00 Documents/1/Structure/Fragments/1.frag -rw---- 4.5 fat 50574 b- defN 1-Jan-80 00:00 Documents/1/Pages/1.fpage -rw---- 4.5 fat 7042 b- stor 1-Jan-80 00:00 Resources/Images/image_0.png -rw---- 4.5 fat 290 b- stor 1-Jan-80 00:00 Resources/Images/image_1.png -rw---- 4.5 fat 481 b- stor 1-Jan-80 00:00 Resources/Images/image_2.png -rw---- 4.5 fat 386 b- defN 1-Jan-80 00:00 Documents/1/Structure/DocStructure.struct -rw---- 4.5 fat 527552 b- defN 1-Jan-80 00:00 Resources/01EC0564-4D18-6AF6-270E-667DA377AC79.odttf 
18 files, 983422 bytes uncompressed, 350592 bytes compressed:  64.3%
The payload is not in that XPS document, which is just a picture that claims to be an Office365 document with a big "Open File" button. That region is linked to a URL (MUNGED: hxxps://ssllink(dot)me/1sta) which at present redirects to a Brazilian domain which yields a 500 reply with a "bandwidth exceeded" message. Presumably the payload used to be there... 

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole

Reply via email to