Sponsored by..

Wednesday, 17 December 2014

"Blocked ACH Transfer" spam has a malicious DOC attachment

Another spam run pushing a malicious Word attachment..

Date:    17 December 2014 at 07:27
Subject:    Blocked ACH Transfer

The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.

Canceled transaction
ACH file Case ID     623742
Total Amount     2644.93 USD
Sender e-mail     info@mobilegazette.com
Reason for rejection     See attached word file
Please see the document provided below to have more details about this issue.


Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55.

Inside this is a malicious macro [pastebin] which downloads a file from:

http://www.lynxtech.com.hk/images/tn.exe

This has a VirusTotal detection rate of just 1/54. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.

Recommended blocklist:
5.187.1.78
209.208.62.36



1 comment:

Robin Norris said...

Seeing these come through with .DOCM attachments, not .DOCX