Malicious Word Doc sends Nymaim, Info Stealer and more

ASSOCIATED DOMAINS:

  • 87.106.162.18 – chienenforme.com – GET /img/doc.exeNymaim DOWNLOAD
  • 54.186.122.88 – pfghmj.com – POST /s2ldhtwpb/index.phpNymaim CHECK-IN
  • 54.186.122.88 – carvezine.com – POST /aipwf.php? – Nymaim POST INFECTION    TRAFFIC

 

DETAILS and IMAGES:

Shown above: Malicious Word document attempting to trick user to Enable Content [MACROS]

 

Shown above: Nymaim executable download “doc.exe”. Nymaim is also known to use office.exe in its downloads.

 

Shown above: Nymaim post infection traffic with its URI pattern structure “index.php” along with other post infection traffic

 

Shown above: Nymaim install directory along with registry entry for start-up

 

PAYLOAD FROM MALICIOUS WORD DOCUMENT: