Sponsored by..

Tuesday, 14 October 2014

"To view your document, please open attachment" spam with a DOC attachment

This spam comes with a malicious DOC attachment:

From:     Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@bostonqatar.net]
Date:     14 October 2014 11:09
Subject:     Your document

To view your document, please open attachment.
The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc.

This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography.co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55 and the EXE file is just 2/54.

I have not yet had time to look at the malicious binary, but the Malwr analysis is here.

UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55. You can see the Malwr analysis here.

No comments: