Sponsored by..

Friday, 26 June 2015

Malware spam: "Order Confirmation RET-385236 250615" / "donotreply@royal-canin.fr"

This fake financial spam comes with a malicious payload:

From: [1NAV PROD RCS] [mailto:donotreply@royal-canin.fr]
Subject: Order Confirmation RET-385236 250615

Please find attached your Sales Order Confirmation

Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.

In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:


Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.

According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs: (Strategic Systems Consulting, US) (OneGbits, Lithuania) (ASDL Subscriber, Iran)

Recommended blocklist:

No comments: