Sponsored by..

Monday, 27 April 2015

Malware spam: "[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015" / "invoice@booking.com"

This fake invoice email does not come from Booking.com but is a simple forgery with a malicious attachment.
From:    invoice@booking.com
Date:    27 April 2015 at 08:55
Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail:  ).

Thank you for working with Booking.com.
The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:


There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] [3] show an attempted network connection to: (RuWeb CJSC, Russia)

According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.


No comments: