I get a lot of spam and I ask my ISP not to filter it, I am interested in what is getting thrown about. I have addresses going back to the late 90s. Some days I get nothing other days 10s of different spams.
In the past I have got hundreds, but I am guessing they are finally filtering out really old emails. Not to mention the number that arrive with a single character replaced/missing. I think they have a real problem with data corruption. But what does it matter when you are sending a scatter shot of tens of thousands and not expecting too many to stick?
It is quite rare that I get obvious malware attachments and I normally just make them as spam. This time I decided to see what I could see.
The email attachment was a
.doc file on the end of a short story about how I should check the supplied product list.
I save the attachment and ran
file Product_list.doc
This told me it was and RTF Rich Text File and the internet said I needed the
rtfobj.py Python script to interrogate it.
https://github.com/decalage2/oletools/wiki/rtfobj
rtfobj.py -s all Product_list.doc
Where
-s all saves all the embedded files in the RTF file.
There were six files all malware, couple of .cmd files that setup the windows registry to run the rest were .exe files.
Using
file again showed they were windows executables PE32.
After running
strings a few times I realised I needed something more focused on windows binaries.
pip install -U oletools
gave me
objdump and
nm
objdump --no-show-raw-insn -x -s -h -g -C -d -M intel Product_list.doc_mondi.exe | less
(read the help, all those options do make sense)
But sadly no fun URLs/API end points to poke at.
And all references came up as known malware so a bit of a dead end, but I did have have exploring.