Contacting a Remote Server: The script specifies a remote server (http://drop-baux.com:80) and a path (/bmV2ZXIgZ29ubmEgbGV0IHlvdQ==/down.php) from which it downloads data. The path is base64 encoded, which decodes to "never gonna let you".

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:44 JST Will Dormann

   in reply to

   Less-efficient workaround:
   Do a VirusTotal RetroHunt with a close-enough YARA rule, and then just manually run exiftool on them.

   And then ask ChatGPT to tell me what some of them do because I'm lazy. This attacker from 4.5 years ago at least had a sense of humor. 😂
   https://www.virustotal.com/gui/file/ca2723ce8388eda11d5b07e788145d9779a6d38bac2d448a89ba860e4899ab35/details

   Microsoft has refused to assign a CVE to this, as they don't feel obligated to follow CNA rules. ("CNAs SHOULD assign CVE IDs to Vulnerabilities, not Fixes for Vulnerabilities. ")

   MITRE has refused to assign a CVE (by way of ignoring the request), as they too apparently don't feel obligated to follow CNA rules ("... MUST direct a CNA-LR or another CNA with appropriate scope to assign as quickly as possible and no later than 72 hours after becoming aware of the first refusal.")

   So have fun with this one, folks. It's been exploited ITW for years, and it definitely works. But "LNK Stomping" has no CVE because, well, draw your own conclusions...