Some hunting opportunities for:
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
@k3dg3 and pointed out by @gossithedog #ZippyReads
PDF LNK file uses cerutil -decode and .hta. fetches .zip file payload and connects to C2.
michaelpagerecruitment-ukoffers(d)com
r3(d)o(d)lencr(d)org
@acquiredsec @k3dg3 @gossithedog r3.o.lencr.org is a legitimate Let's Encrypt endpoint.
What’s lencr.org? lencr.org is a domain name owned by Let’s Encrypt. We use it to host data that is referenced inside the certificates we issue. Why is my computer fetching this data? Is it malicious? No, the data on lencr.org is never malicious. When a device connects to lencr.org, it’s because client software on that device (like a web browser or an app) connected to another site, saw a Let’s Encrypt certificate, and is trying to verify that it’s valid.
Acquiredsec
Apicultor 🐝