Sender: run.payroll.invoice@performancesales.com
Subject: ADP Payroll Invoice for week ending 06/24/2017 – 02414. Invoice: 06662222

Download Links:

• thepillownurse.net/file.php?document=[Base64 email address of recipient]
• thepillownurse.org/file.php?document=[Base64 email address of recipient]
• thepillownurse.info/file.php?document=[Base64 email address of recipient]
• THOMASGUYTON.COM/file.php?document=[Base64 email address of recipient]

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-06-26-Hancitor-pcap.zip

Shown above: Email with link to download Hancitor Word document

Shown above: Malicious Word document after downloaded from above link to start infection chain

ASSOCIATED DOMAINS AND IP ADDRESSES:

• 62.109.16.234 – thepillownurse.org GET /file.php?document=aW5mb0BiYS5jb20= – [HANCITOR DOC]
• 23.23.102.58 – api.ipify.org
• 146.120.110.121 – dintrolletone.com POST /ls5/forum.php
• 177.93.111.181 – pousadaruralsolardosventos.com GET /wp-content/plugins/google-maps-widget/1
• 176.31.200.66 – cajohnorro.com POST /bdl/gate.php
• 216.146.38.70 – checkip.dyndns.org
• 217.160.108.64 – ibericodirecto.com GET /wp-content/plugins/google-analytics-for-wordpress/31.exe – [SendSafe]

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Hancitor malspam

Shown above: Traffic looks like it is associated with Sendsafe malspammer downloaded from ibericodirecto.com [31.exe] during infection chain

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM:

• Malicious Word document
  Virus Total
• 31.exe
  Virus Total