Sponsored by..

Monday, 9 June 2014

"inovice 2110254 June" spam

This terse but badly-spelled spam has a malicious attachment:

Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
From:      Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject:      inovice 2110254 June

This email contains an invoice file attachment 
Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.

UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:

It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.

UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to

All the IP addresses listed belong to Clodo-Cloud in Russia:

Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:

No comments: