Introduction
It all started with a routine malware sample examination. A European-based logistics company forwarded us a suspicious file for analysis. The file name was: “#001VIEW_Remittance_Advice.svg” – meaning “Remittance Advice”. The company reported that after this file was opened in the accounting department, no unusual activity was detected, but they were still suspicious.
What is this SVG file and What does it do?
SVG (Scalable Vector Graphics) files are normally harmless image formats.
However, this file contains embedded JavaScript code. When the user opens the file, while displaying what appears to be an image, malicious code runs in the background.
What happens if this file infects a computer? (Possible/Example Scenario)
| Impacts |
|---|
| The user opens the SVG file thinking it’s a remittance advice. The file appears empty or shows a broken image. The user closes it thinking “it didn’t open”. But JavaScript has already run in the background. |
| The JavaScript attempts to redirect the user to “js.poocheasta.biz.pl“. It fails because the domain is dead. However, if the attacker activates the domain, the user is redirected to a fake login page. |
| On the fake login page, the user sees “Your session has expired, please login again“. The user enters their email password. |
| The attacker gains access to the compromised “[email protected]” email account. They read all emails, examine invoices, and collect bank account information. Meanwhile, to avoid losing access to the email he intercepted, he adds a forwarding rule in his email settings. |
| The attacker starts sending fake invoices to the company’s suppliers with requests like “Our bank account has changed, please make payments to the new account“. |
| A supplier pays the fake invoice. The money is transferred to the attacker’s account. The first financial loss occurs. |
| The company receives an email from the supplier saying “We made the payment, can you confirm?“. But no one realizes such an invoice was never sent. By then, it’s too late. |
Following this incident, we initiated a detailed analysis process:
- Static analysis (XOR deobfuscation, Base64 decoding)
- Infrastructure mapping
- OSINT investigation (digital footprints)
- Behavioral analysis
Technical Analysis Findings
File Analysis
| Attribution | Value |
|---|---|
| File Name | d09f8b2da9301dabe6af5da1380a6dba2623ae99.svg |
| File Type | SVG (Scalable Vector Graphics) |
| Size | 946 bytes |
| MD5 Hash | e3b5a03fac7092fa61129ab6d97cd20a |
| SHA1 Hash | 28532d72f6fe96eefb2a4e484c5f9eaff7bb629e |
| SHA256 Hash | 4d98123fe95b1a4a318b28ee13bccf1dc45b3b3222b636341c569193c1425aed |
| Location | C:\Users\admin\AppData\Local\Temp\ |
Static Analysis
File content:
Obfuscation Techniques Used
Stage 1: Base64 + XOR
Output:
Stage 2: Chunked Base64 Decode
parts = [
"aH", "R0", "cH", "M6", "Ly", "9q", "cy", "5w", "b2", "9j", "aG",
"Vh", "c3", "Rh", "Lm", "Jp", "ei", "5w", "bC", "9Q", "bH", "dD",
"Vm", "5I", "NU", "E5", "QG", "lp", "Lw", "=="
]
base64_string = ''.join(parts)
decoded_url = base64.b64decode(base64_string).decode('utf-8')XOR Key: 6795a9a7242893e6ef978723
Result:
https://js.poocheasta.biz.pl/PlwCVnH5A9@iiFinally, the email address is appended:
https://js.poocheasta.biz.pl/PlwCVnH5A9@ii/[email protected]Infrastructure Analysis
Domain Analysis: brifutelectric.com
Domain Name: BRIFUTELECTRIC.COM
Creation Date: 2006-01-25 (20 years ago)
Registry Expiry Date: 2030-01-25
Registrar: GoDaddy.com, LLC
Name Server: BRISTOL.NS.CLOUDFLARE.COM
Name Server: YEVGEN.NS.CLOUDFLARE.COM 
Current Status
The domain is currently parked. It appears as “parked free” on GoDaddy. This means there is no active website, but the attacker can activate it at any time.
DNS Records
| Record Type | Value | Service |
|---|---|---|
| A | 75.112.181.146 | Charter Communications |
| MX 10 | mx1-us1.ppe-hosted.com | Proofpoint |
| MX 20 | mx2-us1.ppe-hosted.com | Proofpoint |
| NS | bristol.ns.cloudflare.com | Cloudflare |
| NS | yevgen.ns.cloudflare.com | Cloudflare |
| TXT | v=spf1 a:dispatch-us.ppe-hosted.com include:servers.mcsv.net -all | SPF |
| TXT | ppe-6bf6f6eae8bfc3e8a252772445f4fc1805a796c5 | PPE Hosted |
| CNAME | www.brifutelectric.com | – |
| Records | IP | Service |
|---|---|---|
| owncloud.brifutelectric.com | 72.31.126.228 | OwnCloud – File Storage |
| mail.brifutelectric.com | 75.112.181.147 | Email Server |
| mail-al.brifutelectric.com | 72.31.126.227 | Email Server (Backup) |
| mail-al2.brifutelectric.com | 72.31.126.231 | Email Server (Backup) |
| mail-fl1.brifutelectric.com | 75.112.181.150 | Email Server |
| mail-bf1.brifutelectric.com | – | |
| mail-bf2.brifutelectric.com | – | |
| ciscoorlando.brifutelectric.com | 75.112.181.146 | Network Infrastructure |
| ciscosarasota.brifutelectric.com | 75.114.66.82 | Network Infrastructure |
| ciscobirmingham.brifutelectric.com | 72.31.126.226 | Network Infrastructure |
| 72.31.126.83 | – | mail-pf |
| www.brifutelectric.com | 75.112.181.146 | WWW |
| autodiscover.brifutelectric.com | – | Microsoft 365 |
IPs
| IP Block | IP Addresses |
| 75.112.176.0/20 | 75.112.181.146, 75.112.181.147, 75.112.181.150 |
| 72.31.126.0/23 | 72.31.126.226, 72.31.126.227, 72.31.126.228, 72.31.126.231, 72.31.126.83 |
| 75.114.64.0/18 | 75.114.66.82 |
IOC List
File Hashes:
001VIEW_Remittance_Advice.svg
MD5: e3b5a03fac7092fa61129ab6d97cd20a
SHA1: 28532d72f6fe96eefb2a4e484c5f9eaff7bb629e
SHA256: 4d98123fe95b1a4a318b28ee13bccf1dc45b3b3222b636341c569193c1425aedDomains:
| Domain | IP | Status |
| brifutelectric.com | 75.112.181.146 | PARKED (GoDaddy) |
| js.poocheasta.biz.pl | – | NXDOMAIN (Dead) |
| pocaheasta.biz.pl | – | NXDOMAIN (Dead) |
Email:
Risk Assessment
| Criteria | Status | Risk |
|---|---|---|
| Domain Age | 20 years (2006-2030) | Critical |
| DNS Provider | Cloudflare (hidden real IP) | High |
| OwnCloud Presence | YES (File Storage) | Low (for now) |
| Currently Active | NO (Parked) | Low (for now) |
| Activation Potential | HIGH (ready infrastructure) | Critical |
Timeline
2006-01-25: Domain registered
2016-03-07: First subdomain detected (ciscobirmingham)
2018-09-06: owncloud.brifutelectric.com added
2021-10-28: Domain parked (GoDaddy)
2024-01-25: Domain renewed (until 2030)
2026-01-04: SVG malware analyzed and marked as malicious for the phishing attack label (js.poocheasta.biz.pl)
Conclusion
Today’s BEC (Business Email Compromise) or phishing attacks are carried out by somehow compromising email addresses with clean domain names belonging to legitimate companies and using those addresses to launch these attacks. The main reason for this is to bypass email security gateway products. In this case, the domain in question is 20 years old. It’s perfectly suited for this purpose!
