From: Incoming Fax [no-reply@efax.co.uk]This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:
Date: 18 November 2014 13:16
Subject: INCOMING FAX REPORT : Remote ID: 766-868-5553
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file:
http://mrconsultantpune.com/dropbox/document.php
*********************************************************
http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.
Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de
No comments:
Post a Comment