Sponsored by..

Wednesday, 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez

In this case, the link in the email goes to:


..which includes the victim's email address in the URL. In turn, this redirects to:


As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs: (Hetzner, Germany) (Camelhost SIA, Latvia) (Iliad Entreprises / Poney Telecom, France) (Invest Ltd, Ukraine)

According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:


No comments: