# **20240617-惡意社交工程信件分析**
現場採證階段:於受害現場了解事件狀況為盜取粉絲團帳密及盜刷信用卡事件,現場於受害機上階分析採證取得完整惡意工程信件如附檔email header(其中因機密關系修正一部份資料)如下
分析工具:1.notepad++直接開啟人工分析 2.線上email header分析工具
```
Delivered-To: jimmy-test@gmail.com
Received: by 2002:a05:7022:eca:b0:7e:e176:93ee with SMTP id dz10csp2127716dlb;
Sat, 15 Jun 2024 05:03:28 -0700 (PDT)
X-Received: by 2002:a25:6887:0:b0:df4:d79d:4f82 with SMTP id 3f1490d57ef6-dff1539e416mr5228204276.18.1718453008576;
Sat, 15 Jun 2024 05:03:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1718453008; cv=none;
d=google.com; s=arc-20160816;
b=zggoV+GIQsMplskO6/GfsF8UGEr8kMjRwbDgCmvt9FS2FhNTJ/nUMoWUCKF1u+5hPh
DFL6fIDiP3MIOV2itgDiC+2sp/n7UFgfm6uL5dv6EfxcQ/Smk5YShi+bm0zdkwEQqyTO
385kzvPz3xUky8YPy4Xk/1QzEHj8ezz8UmdmXD2rMjGOT+w3ruaHi9x9kmQAGjkRDUCS
GlUFffjibxxHz84BS1m1wb8JMnVt2Q2O8nCLcDpvjGCFrbWNm5QCpYfl6Alm9vkWTllQ
Fq4XoRdih6WTO/Ccl1KszIJYc6X1OQKW4lOOQQx6KaVqx4TXURCbUEgHlLgHk1Zgz/sq
vw9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:dkim-signature;
bh=kia3GyG5lK+ZxIA/6Gz9eRChlb+PWzpzDWwJ3Q0DYnU=;
fh=b6tFhimzccGX3hX7GR7U8d10QMXv6h39I0OVysYX3lk=;
b=dkOC1C7lDAYIRXYmd3f4mGA87L3JFj9Kpd+SYWAdky6Sp+sNAihd2XVUWsx44W9qgL
Db0EamV2MNTQDw44RQYbmBeTzNdTmk4v0J2sAK5PN5seGY1QBX8ZX6htHkic1+zSbb+4
F5up9L6HkebiQtzJVWXLEkUUQ5xIuGlJBxEPDl1FwBcj9+tPx7qGbkgkBi0EB/DHroQn
eCgsnnhBbXWYQ21wGVUIviETxtanJWYPEs92FCaFhoE9w/RGKiq/5aL/A22qwTPUZV4w
4hvvJvhZLyEbtqsgsD9DWVD0u7LnHV5qbzb6xo/9hCOdyIiMNGVo2ygWjaZO0KkQ9l2K
bTjQ==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Rel8wtIJ;
spf=pass (google.com: domain of coffee.tw@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=coffee.tw@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <coffee.tw@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id 3f1490d57ef6-dff041fece9sor1123878276.0.2024.06.15.05.03.28
for <jimmy-test@gmail.com>
(Google Transport Security);
Sat, 15 Jun 2024 05:03:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of coffee.tw@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Rel8wtIJ;
spf=pass (google.com: domain of coffee.tw@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=coffee.tw@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1718453008; x=1719057808; dara=google.com;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=kia3GyG5lK+ZxIA/6Gz9eRChlb+PWzpzDWwJ3Q0DYnU=;
b=Rel8wtIJJF7MIQCLLZ9sNgEJ0Zl+xwtsQZjwsh8e5Y6GOnRhKse091hIG5/CZyFwoq
EyT+iAex4AZJeLvWwTwQraBwnpvlEgFi90BKunNj5n257f65d6Cj1ydL9eU5T1LE/UvM
xupyKjlI4Z7AwsMaCiI6nHtD4RIDBnebP1hJEGEuIrA4yaGDM/Q38kZl2uYWKFr9g9Qd
jTBXvOso1WGxkG5jNAglp9ZL3gQig7rOxbNMp+Dw4RdVqXoWIwCh34t8mc8tZ+yhUwTf
exJsc33GYAgsQavzquCvm4/waAn2bI2estu7YRfgyMriD5Xfophs5R/TELgoAPVYCN6X
3/ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1718453008; x=1719057808;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=kia3GyG5lK+ZxIA/6Gz9eRChlb+PWzpzDWwJ3Q0DYnU=;
b=sQlcsWPeQudX7rDGznRLEG3X0XtDki/1tg+6BkVpIm/eZO3XrPWV5USngG/dw/6NnJ
Uf3Q83MJx6dckYUjLs9sCgkBIMBAIn7tdCCqOogbZpI8Zlk8csECKhGMMHpDlsdFxze7
jGben7CQc65vhZLib4skaDe45dRTCIFQFw81u7JTQTeoT2TKZoLFUO7oJkIDsVVoAR+l
UL7ZylDKQDfccWnLRckDLFlfXxCgG+n96Va/SrMfglbvLgROFiKZYkBLSrAYtpDvVyYS
RpipTGUGt06XCplpwFWkP5I0FEZZxWL3DHDs8sEsxYvPyy/vPS0vES3TWxDg+H4BIjas
aNpQ==
X-Gm-Message-State: AOJu0YyxSB/b7VCRcmPOszAN+OEJa96OdxubKLi+1W4fGIiWYDTLC2Mj 5nHlpZu4eaf9zFwZr1PV7RJHp0CgLSwRDvEKFQkLJzENk6taZVJqJeSXy+W+/kBibVGoreazFnB 0cmZROvAUJHRW+8V0MiPgZDtHandL2w==
X-Google-Smtp-Source: AGHT+IEbUON8co01DYFJtJLu/95Gzn41RCa6vACDBadnLMHhj7VJ71WNDQ+NQyWAyzmmOWDgzYyPSMovkT8kJlLFD6U=
X-Received: by 2002:a25:d8d6:0:b0:dff:2d17:2fd1 with SMTP id 3f1490d57ef6-dff2d173103mr850791276.5.1718453007645; Sat, 15 Jun 2024 05:03:27 -0700 (PDT)
MIME-Version: 1.0
References: <autogen-java-25c751b4-21e5-48e3-ba6b-e80fd2ee8cdb@google.com>
In-Reply-To: <autogen-java-25c751b4-21e5-48e3-ba6b-e80fd2ee8cdb@google.com>
From: "一塊小宇宙" <coffee.tw@gmail.com>
Date: Sat, 15 Jun 2024 20:03:15 +0800
Message-ID: <CACMHMKLu3d89rTPudjY0eORJUpTqz19mpiTj-J5D+meUpYDjjA@mail.gmail.com>
Subject: Fwd: 關於使用Believe In Music International Limited擁有版權的圖像和影片的侵權通知
To: jimmy-test@gmail.com
Content-Type: multipart/alternative; boundary="0000000000001589d3061aec8549"
--0000000000001589d3061aec8549
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
LS0tLS0tLS0tLSBGb3J3YXJkZWQgbWVzc2FnZSAtLS0tLS0tLS0NCuWvhOS7tuiAhe+8miDmnbDl
qIHlsJTpn7PkuZDmnInpmZDlhawgLSBCJ2luIE11c2ljIE1hcmtldGluZyBNYW5hZ2VyIDxsZWR1
Y3NhbmdtaW5AZ21haWwuY29tPg0KRGF0ZTogMjAyNOW5tDbmnIgxMeaXpSDpgLHkuowgMTI6MTIN
ClN1YmplY3Q6IOmXnOaWvOS9v+eUqEJlbGlldmUgSW4gTXVzaWMgSW50ZXJuYXRpb25hbCBMaW1p
dGVk5pOB5pyJ54mI5qyK55qE5ZyW5YOP5ZKM5b2x54mH55qE5L615qyK6YCa55+lDQpUbzogPHVu
aW9uZS5jb2ZmZWUudHdAZ21haWwuY29tPg0KDQoNCg0KDQoNCuS9oOWlve+8iHVuaW9uZS5jb2Zm
ZWUudHdAZ21haWwuY29t77yJ77yMDQoNCuaIkeaYr+ebuOS/oemfs+aoguWci+mam+aciemZkOWF
rOWPuOeahOeJiOasiuWSjOizh+aWmeS/neitt+e2k+eQhuOAgg0K5q2k5L+h5Ye957aT5YWs5Y+4
5o6I5qyK5a+E57Wm5oKo44CCDQoNCuaIkeWAkeeZvOePvuS4puazqOaEj+WIsOaCqOeahCBGYWNl
Ym9vayDlkowgSW5zdGFncmFtIOW7o+WRiuS4reWMheWQq+eahOS4gOS6m+WclueJh+WSjOW9seeJ
h++8iOimi+S4i+aWh++8ieS+teeKr+S6huaIkeWAkeeahOeJiOasiuOAgg0KDQrpgZXopo/ogIXv
vJoo5LiA5aGK5bCP5a6H5a6ZIC0g5ZKW5ZWh5aGKKe+8mw0KDQroh4nmm7ggVUlE77ya77yIMTE3
MjIyOTY0NjkyOTIw77yJDQoNCuaIkeWAkeimgeaxguaCqOafpeeci+S4i+mdouaJgOmZhOeahOmB
leimj+itieaTmu+8jOS4puWcqOaOpeS4i+S+hueahCAyNA0K5bCP5pmC5YWn5b6e5oKo5o6o5buj
55qE6LK85paH5Lit5Yiq6Zmk6YCZ5Lqb5L615qyK5ZyW54mH5ZKM5b2x54mH44CC5aaC5p6c5oiR
5YCR56K66KqN5oKo55qE5ZyW54mH5ZKM5b2x54mH5pyq6KKr5Yiq6Zmk77yM5oiR5YCR5bCH6IGv
57mr5b6L5bir5pS26ZuG6K2J5pOa5ZKM6LOH6KiK5Lul6Kej5rG65rOV5b6L5ZWP6aGM44CCDQoN
CuaHh+iri+aCqOmFjeWQiO+8jOS7peWFjeW8lei1t+S4jeW/heimgeeahOazleW+i+ezvue0m+OA
gg0KDQoNCirkvrXniq/mrIrliKnnmoTnhafniYflkozlvbHniYforYnmk5ogLSBCJ2luIE11c2lj
LnBkZiAqIDxodHRwczovL3MubmV0LnZuL2pjTHA+DQoNCg0KICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAg5LuK5aSp77yMMjAyNCDlubQgNiDmnIggMTEg5pelDQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICDnm7jkv6Hpn7PmqILl
nIvpmpvogqHku73mnInpmZDlhazlj7gNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIOWft+ihjOmVt+mZs+mYv+ajru+8iOewveWQje+8iQ0KDQoNCg0KDQoNCg0K
DQoNCirnm7jkv6Hpn7PmqILniYjmrIrmiYDmnInvvZzCqSAyMDI0IELigJlpbiBNdXNpYyBBbGwg
UmlnaHRzIFJlc2VydmVkLioNCirpnZ7lrpjmlrnmjojmrIrvvIzkuI3lvpfkvb/nlKjmnKzntrLn
q5nnmoTmiYDmnInkv6Hmga/os4fmlpkqDQpbaW1hZ2U6IE1haWwgTWVyZ2UgZm9yIEdtYWlsXSBt
YWRlIGFuZCBzZW50IHdpdGgNCk1haWwgTWVyZ2UNCjxodHRwczovL21lcmdlLmVtYWlsLz91dG1f
c291cmNlPXdhdGVybWFyayZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1HbWFpbC1Qb3dl
cmVkJTIwRW1haWwlMjBNYXJrZXRpbmc+DQo8aHR0cHM6Ly9tZXJnZS5lbWFpbC8/dXRtX3NvdXJj
ZT13YXRlcm1hcmsmdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249R21haWwtUG93ZXJlZCUy
MEVtYWlsJTIwTWFya2V0aW5nPg0KR21haWwtUG93ZXJlZCBFbWFpbCBNYXJrZXRpbmcNCjxodHRw
czovL21lcmdlLmVtYWlsLz91dG1fc291cmNlPXdhdGVybWFyayZ1dG1fbWVkaXVtPWVtYWlsJnV0
bV9jYW1wYWlnbj1HbWFpbC1Qb3dlcmVkJTIwRW1haWwlMjBNYXJrZXRpbmc+DQo=
--0000000000001589d3061aec8549
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto"></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" cla=
ss=3D"gmail_attr">---------- Forwarded message ---------<br>=E5=AF=84=E4=BB=
=B6=E8=80=85=EF=BC=9A <strong class=3D"gmail_sendername" dir=3D"auto">=E6=
=9D=B0=E5=A8=81=E5=B0=94=E9=9F=B3=E4=B9=90=E6=9C=89=E9=99=90=E5=85=AC - B&#=
39;in Music Marketing Manager</strong> <span dir=3D"auto"><<a href=3D"ma=
ilto:leducsangmin@gmail.com">leducsangmin@gmail.com</a>></span><br>Date:=
2024=E5=B9=B46=E6=9C=8811=E6=97=A5 =E9=80=B1=E4=BA=8C 12:12<br>Subject: =
=E9=97=9C=E6=96=BC=E4=BD=BF=E7=94=A8Believe In Music International Limited=
=E6=93=81=E6=9C=89=E7=89=88=E6=AC=8A=E7=9A=84=E5=9C=96=E5=83=8F=E5=92=8C=E5=
=BD=B1=E7=89=87=E7=9A=84=E4=BE=B5=E6=AC=8A=E9=80=9A=E7=9F=A5<br>To: <<a=
href=3D"mailto:coffee.tw@gmail.com">coffee.tw@gmail.com</a>&=
gt;<br></div><br><br><div><span style=3D"font-family:terminal,monaco,monosp=
ace;font-size:10pt"> <img style=3D"display:block;margin-left:auto;margin-ri=
ght:auto" src=3D"https://share1.cloudhq-mkt3.net/4da3109fb9bc89.png" alt=3D=
"" width=3D"268" height=3D"132"> </span></div>
<p>=C2=A0</p>
<table style=3D"background-color:#ffffff;border:1px solid #dddddd;border-co=
llapse:collapse;border-spacing:0px;box-sizing:inherit;font-style:inherit;fo=
nt-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inh=
erit;font-family:inherit;font-kerning:inherit;font-feature-settings:inherit=
;font-size:100%;margin:0px auto;max-width:680px;padding:0px;text-align:cent=
er;vertical-align:baseline;width:57.2315%;height:395px">
<tbody style=3D"border:0;box-sizing:inherit;font:inherit;font-size:100%;mar=
gin:0;padding:0;vertical-align:baseline">
<tr style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:baseline;height:10px">
<td style=3D"border-width:0px 0px 1px;box-sizing:inherit;font-style:inherit=
;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:=
inherit;font-family:inherit;font-kerning:inherit;font-feature-settings:inhe=
rit;font-size:100%;margin:0px;padding:0px;vertical-align:middle;height:10px=
;text-align:left" align=3D"left"><span style=3D"font-family:terminal,monaco=
,monospace;font-size:10pt">=C2=A0</span></td>
</tr>
<tr style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:baseline;height:375px">
<td style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px 0px 0px 40px;vertical-align:middle;height:375px=
;text-align:left">
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E4=
=BD=A0=E5=A5=BD=EF=BC=88<a href=3D"mailto:coffee.tw@gmail.com" targe=
t=3D"_blank" rel=3D"noreferrer">coffee.tw@gmail.com</a>=EF=BC=89=EF=
=BC=8C</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E6=
=88=91=E6=98=AF=E7=9B=B8=E4=BF=A1=E9=9F=B3=E6=A8=82=E5=9C=8B=E9=9A=9B=E6=9C=
=89=E9=99=90=E5=85=AC=E5=8F=B8=E7=9A=84=E7=89=88=E6=AC=8A=E5=92=8C=E8=B3=87=
=E6=96=99=E4=BF=9D=E8=AD=B7=E7=B6=93=E7=90=86=E3=80=82</span> <br><span sty=
le=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E6=AD=A4=E4=BF=
=A1=E5=87=BD=E7=B6=93=E5=85=AC=E5=8F=B8=E6=8E=88=E6=AC=8A=E5=AF=84=E7=B5=A6=
=E6=82=A8=E3=80=82</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E6=
=88=91=E5=80=91=E7=99=BC=E7=8F=BE=E4=B8=A6=E6=B3=A8=E6=84=8F=E5=88=B0=E6=82=
=A8=E7=9A=84 Facebook =E5=92=8C Instagram =E5=BB=A3=E5=91=8A=E4=B8=AD=E5=8C=
=85=E5=90=AB=E7=9A=84=E4=B8=80=E4=BA=9B=E5=9C=96=E7=89=87=E5=92=8C=E5=BD=B1=
=E7=89=87=EF=BC=88=E8=A6=8B=E4=B8=8B=E6=96=87=EF=BC=89=E4=BE=B5=E7=8A=AF=E4=
=BA=86=E6=88=91=E5=80=91=E7=9A=84=E7=89=88=E6=AC=8A=E3=80=82</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E9=
=81=95=E8=A6=8F=E8=80=85=EF=BC=9A(=E4=B8=80=E5=A1=8A=E5=B0=8F=E5=AE=87=E5=
=AE=99 - =E5=92=96=E5=95=A1=E5=A1=8A)=EF=BC=9B</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E8=
=87=89=E6=9B=B8 UID=EF=BC=9A=EF=BC=88117222964692920=EF=BC=89</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E6=
=88=91=E5=80=91=E8=A6=81=E6=B1=82=E6=82=A8=E6=9F=A5=E7=9C=8B=E4=B8=8B=E9=9D=
=A2=E6=89=80=E9=99=84=E7=9A=84=E9=81=95=E8=A6=8F=E8=AD=89=E6=93=9A=EF=BC=8C=
=E4=B8=A6=E5=9C=A8=E6=8E=A5=E4=B8=8B=E4=BE=86=E7=9A=84 24 =E5=B0=8F=E6=99=
=82=E5=85=A7=E5=BE=9E=E6=82=A8=E6=8E=A8=E5=BB=A3=E7=9A=84=E8=B2=BC=E6=96=87=
=E4=B8=AD=E5=88=AA=E9=99=A4=E9=80=99=E4=BA=9B=E4=BE=B5=E6=AC=8A=E5=9C=96=E7=
=89=87=E5=92=8C=E5=BD=B1=E7=89=87=E3=80=82=E5=A6=82=E6=9E=9C=E6=88=91=E5=80=
=91=E7=A2=BA=E8=AA=8D=E6=82=A8=E7=9A=84=E5=9C=96=E7=89=87=E5=92=8C=E5=BD=B1=
=E7=89=87=E6=9C=AA=E8=A2=AB=E5=88=AA=E9=99=A4=EF=BC=8C=E6=88=91=E5=80=91=E5=
=B0=87=E8=81=AF=E7=B9=AB=E5=BE=8B=E5=B8=AB=E6=94=B6=E9=9B=86=E8=AD=89=E6=93=
=9A=E5=92=8C=E8=B3=87=E8=A8=8A=E4=BB=A5=E8=A7=A3=E6=B1=BA=E6=B3=95=E5=BE=8B=
=E5=95=8F=E9=A1=8C=E3=80=82</span></p>
<p><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=E6=
=87=87=E8=AB=8B=E6=82=A8=E9=85=8D=E5=90=88=EF=BC=8C=E4=BB=A5=E5=85=8D=E5=BC=
=95=E8=B5=B7=E4=B8=8D=E5=BF=85=E8=A6=81=E7=9A=84=E6=B3=95=E5=BE=8B=E7=B3=BE=
=E7=B4=9B=E3=80=82</span></p>
<p>=C2=A0</p>
<div class=3D"gmail_chip gmail_drive_chip" style=3D"width:320px;height:15px=
;max-height:28px;background-color:#f5f5f5;margin:5px 2px;padding:9px;color:=
#222222;font:350 12px/12px 'Google Sans',sans-serif;border:2px soli=
d #dddddd"><span style=3D"font-family:terminal,monaco,monospace;font-size:1=
0pt"> <a style=3D"color:#202124;display:inline-block;max-width:3000px;overf=
low:hidden;text-overflow:ellipsis;white-space:nowrap;text-decoration:none;b=
order:none" href=3D"https://s.net.vn/jcLp" rel=3D"noopener noreferrer" aria=
-label=3D"=C2=A0=E4=BE=B5=E7=8A=AF=E7=89=88=E6=AC=8A=E7=9A=84=E7=85=A7=E7=
=89=87=E5=92=8C=E8=A6=96=E9=A0=BB=E8=AD=89=E6=93=9A - B'in Music.pdf" t=
arget=3D"_blank"> <img style=3D"vertical-align:text-bottom;border:none;padd=
ing-right:1px;height:11px" src=3D"https://www.offidocs.com/images/pdflogoad=
obe.jpg" alt=3D"" width=3D"31"> <strong>=E4=BE=B5=E7=8A=AF=E6=AC=8A=E5=88=
=A9=E7=9A=84=E7=85=A7=E7=89=87=E5=92=8C=E5=BD=B1=E7=89=87=E8=AD=89=E6=93=9A=
<span dir=3D"ltr" style=3D"vertical-align:bottom;text-decoration:none">- B=
'in Music.pdf</span> </strong> </a> <img style=3D"padding-left:10px;wid=
th:20px;height:20px;float:right;display:none" aria-label=3D"X=C3=B3a t=E1=
=BB=87p =C4=91=C3=ADnh k=C3=A8m"> </span></div>
<br><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt"> <=
br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0=E4=BB=8A=E5=A4=A9=EF=BC=8C2024 =E5=B9=B4 6 =E6=9C=88 11 =
=E6=97=A5 <br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0=E7=9B=B8=E4=BF=A1=E9=9F=B3=E6=A8=82=E5=9C=8B=E9=
=9A=9B=E8=82=A1=E4=BB=BD=E6=9C=89=E9=99=90=E5=85=AC=E5=8F=B8 <br>=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0=E5=9F=B7=E8=A1=8C=E9=95=B7=E9=99=B3=E9=98=BF=E6=A3=AE=EF=BC=88=E7=B0=BD=
=E5=90=8D=EF=BC=89 </span> <br>
<table style=3D"border:0px;border-collapse:collapse;border-spacing:0px;box-=
sizing:inherit;display:inline-block;font-style:inherit;font-variant:inherit=
;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:i=
nherit;font-kerning:inherit;font-feature-settings:inherit;font-size:100%;ma=
rgin:0px;padding:10px 20px;text-align:center;vertical-align:baseline;width:=
603px;height:147px">
<tbody style=3D"border:0;box-sizing:inherit;font:inherit;font-size:100%;mar=
gin:0;padding:0;vertical-align:baseline">
<tr style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:baseline;height:10px">
<td style=3D"border-width:0px 0px 1px;box-sizing:inherit;font-style:inherit=
;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:=
inherit;font-family:inherit;font-kerning:inherit;font-feature-settings:inhe=
rit;font-size:100%;margin:0px;padding:0px;vertical-align:middle;height:10px=
;width:602.969px">=C2=A0</td>
</tr>
<tr style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:baseline;height:137px">
<td style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:middle;height:137px;width:602.96=
9px"><span style=3D"font-family:terminal,monaco,monospace;font-size:10pt">=
=C2=A0 =C2=A0 <img src=3D"https://share1.cloudhq-mkt3.net/f9332bebdfa637.pn=
g" alt=3D"" width=3D"543" height=3D"136"> </span> <br><br><span style=3D"fo=
nt-family:terminal,monaco,monospace;font-size:10pt">=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <span style=3D"font-st=
yle:inherit;font-variant-ligatures:inherit;font-variant-caps:inherit;font-w=
eight:inherit">=C2=A0</span> <span style=3D"text-align:start"> <br></span> =
</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr style=3D"height:10px">
<td style=3D"border:0px;box-sizing:inherit;font-style:inherit;font-variant:=
inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-f=
amily:inherit;font-kerning:inherit;font-feature-settings:inherit;font-size:=
100%;margin:0px;padding:0px;vertical-align:middle;height:10px"><span style=
=3D"font-family:terminal,monaco,monospace;font-size:10pt">=C2=A0</span></td=
>
</tr>
</tbody>
</table>
<p>=C2=A0</p>
<div style=3D"text-align:center"><span style=3D"font-family:terminal,monaco=
,monospace;font-size:10pt">=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0</span> <br><=
span style=3D"font-family:terminal,monaco,monospace;font-size:10pt"> <em>=
=E7=9B=B8=E4=BF=A1=E9=9F=B3=E6=A8=82=E7=89=88=E6=AC=8A=E6=89=80=E6=9C=89=EF=
=BD=9C=C2=A9 2024 B=E2=80=99in Music All Rights Reserved.</em> </span> <br>=
<span style=3D"font-family:terminal,monaco,monospace;font-size:10pt"> <em>=
=E9=9D=9E=E5=AE=98=E6=96=B9=E6=8E=88=E6=AC=8A=EF=BC=8C=E4=B8=8D=E5=BE=97=E4=
=BD=BF=E7=94=A8=E6=9C=AC=E7=B6=B2=E7=AB=99=E7=9A=84=E6=89=80=E6=9C=89=E4=BF=
=A1=E6=81=AF=E8=B3=87=E6=96=99</em> </span></div>
<div style=3D"font-family:'Google Sans',Roboto,RobotoDraft,Helvet=
ica,Arial,sans-serif;display:flex;width:154px;border-radius:5px;border:1px =
solid #cfcfcf;background-color:white">
<a href=3D"https://merge.email/?utm_source=3Dwatermark&utm_medium=3De=
mail&utm_campaign=3DGmail-Powered%20Email%20Marketing" style=3D"text-de=
coration:none" target=3D"_blank" rel=3D"noreferrer">
<table border=3D"0" cellpadding=3D"4" cellspacing=3D"0" style=3D"width:=
100%">
<tbody>
<tr style=3D"line-height:0">
<td>
<img alt=3D"Mail Merge for Gmail" width=3D"40" height=3D"40" sr=
c=3D"https://merge-d78e7.web.app/mail-merge-for-gmail.gif">
</td>
<td>
<span style=3D"color:#777;font-size:10px;line-height:16px;paddi=
ng-right:5px">made and sent with</span>
<br>
<a href=3D"https://merge.email/?utm_source=3Dwatermark&utm_=
medium=3Demail&utm_campaign=3DGmail-Powered%20Email%20Marketing" style=
=3D"color:#717171;font-weight:bold;text-decoration:none;line-height:16px" t=
arget=3D"_blank" rel=3D"noreferrer">Mail Merge</a>
</td>
</tr>
</tbody>
</table>
</a>
</div>
<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" style=3D"margin-t=
op:15px;background-color:white">
<tbody>
<tr style=3D"line-height:0">
<td>
<a href=3D"https://merge.email/?utm_source=3Dwatermark&utm_medi=
um=3Demail&utm_campaign=3DGmail-Powered%20Email%20Marketing" style=3D"f=
ont-size:14px;color:#007ce9;padding-left:2px" target=3D"_blank" rel=3D"nore=
ferrer">
Gmail-Powered Email Marketing
<u></u>
<u></u>
<u></u>
<u></u>
</a>
</td>
</tr>
</tbody>
</table>
<img src=3D"https://us-central1-gmailmerge.cloudfunctions.net/trackingLogge=
r/eyJzZSI6ImxlZHVjc2FuZ21pbkBnbWFpbC5jb20iLCJzcCI6IjFCOUNmbzhkVTVSaVlsZ084T=
0lpNnRfclExU2xqcm8xR19ra3FVNk83TUg4Iiwic2giOiIwIiwiY2EiOiJmOWM2NyIsInJlIjoi=
dW5pb25lLmNvZmZlZS50d0BnbWFpbC5jb20ifQ=3D=3D" width=3D"0" height=3D"0" styl=
e=3D"height:0px!important;max-height:0px!important;max-width:0px!important;=
width:0px!important"></div>
--0000000000001589d3061aec8549--
```
---
分析信件並取得異常部份
發現信中有Base64編碼內容,使用線上Base64 解編碼工具
https://www.base64decode.org/
異常連結
https://s[.]net[.]vn/jcLp
使用browserling及windows 沙箱進行分析異常連結
最後發現惡意檔案
侵犯版權的照片和視頻證據 - B'in Music.zip
----
惡意檔案
侵犯版權的照片和視頻證據 - B'in Music.zip
MD5:57c5fda071cf977251cfdbf9eb08e2b5
----
分析惡意程式如下
分析關聯圖
線上分析結論
侵犯版權的照片和視頻證據 - B'in Music.zip is being detected.
The following file contain inside the zip:
msimg32.dll with md5:6E01E13C33D0EF84EC2E7C95CB7CF5DC is being detected as W32/Kryptik.HXGS!tr
分析完成,屬remcos家族,是大宗的RAT病毒
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
補充案:
保哥家發現的社交工程案例
https://www.facebook.com/will.fans/posts/pfbid032Ds1axnKEec7ghtfCETjQsfiwNsqPyWxxVu14GKiYFUzWAKBCpBS5z1UXfyGyUy9l
Sign in with Wallet
Connect another wallet