Sponsored by..

Tuesday, 5 August 2014

"Invoice 20146308660 June 2014 - July 2014" spam

This spam is very like this one, but has a different payload:
Date:      Tue, 05 Aug 2014 17:18:39 +0700 [06:18:39 EDT]
From:      Accounts Dept [optique@hotmail.com]
Subject:      Invoice 20146308660 June 2014 - July 2014 dynamoo

This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.
Attached is an archive ID_20146308660.zip which contains a folder invoice__details_June-July.xls which in turn contains a malicious executable invoice__details_June-July.xls.scr which has a VirusTotal detection rate of just 2/54. According to the CAMAS report, the malware then downloads a further component from one of the following locations:

estudio41.es/222
mvic.lt/222
snowcenter.ro/222
bizit.co/222
elentel.com.br/222
thevolution.com.ar/222
palabrasencadenadas.esy.es/222
vybrasom.com.br/222
liltje.edisk.nl/222
talkfurnishings.com/222
theo.redlighthost.com/222
zigra.lt/222
serwer1423434.home.pl/222
4x4specialty.com/222
zentro.es/222
bharatgroup.co.in/222
ebusiness.org.mx/222
cedepas-centro.org/222
thor2.dnshotel.com/~elements/222

This second stage has a VirusTotal detection rate of 9/54. Automated analysis tools are inconclusive [1] [2].

Recommended blocklist:
estudio41.es
mvic.lt
snowcenter.ro
bizit.co
elentel.com.br
thevolution.com.ar
palabrasencadenadas.esy.es
vybrasom.com.br
liltje.edisk.nl
talkfurnishings.com
theo.redlighthost.com
zigra.lt
serwer1423434.home.pl
4x4specialty.com
zentro.es
bharatgroup.co.in
ebusiness.org.mx
cedepas-centro.org

No comments: