Sponsored by..

Tuesday, 4 November 2014

DUCO "Remittance Advice November" spam

This fake remittance advice spam does pretends to come from a company called DUCO (it does not) and comes with a malicious Word document.

From:     Therese Holden
Date:     4 November 2014 13:59
Subject:     Remittance Advice November FO1864232P

Dear Sir/Madam

Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP

Regards,
Therese Holden
Accounts Payable Department DUCO
The attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://144.76.153.36:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.

The Malwr report shows that the malware reaches out to the following URLs:

http://91.222.139.45/%26RNB2/hs3SILqWzl1%24x%20/rI9sI
http://213.140.115.29/9m0/xvgsH.jTg@/NsY/75/0b50
http://213.140.115.29/1u1mS$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/
http://213.140.115.29/ktp6rp3vnx/x%7Egxlkki%20%2D56g%7E%20=&%3Fg%3Fx4j/r+~f6j%7Efwin%2Bcywc/%24yxvmo


It also drops a DLL on the system identified by VirusTotal as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
144.76.153.36

3 comments:

Jake Rogers said...

Just finished my analysis 5 minutes ago, see malwr report below along with the "dropper" url encoded in the macro which was different from the one you've found.

178.77.73.206

https://malwr.com/analysis/NzA5NWJmNmU5Y2E2NDEwM2E0MzlhY2Q4OWRlZWU0MjE/

Regards,
Jake

Steve Basford said...

http://sanesecurity.blogspot.co.uk/2014/11/remittance-advice-november-word-malware.html

Conrad Longmore said...

I think usually there are a few different versions of the document, so far I have only seen two samples which the same document attached.