Sponsored by..

Wednesday 1 July 2015

Malware spam: "Document Order 534-550719-84513074/1" / "web-filing@companies-house.gov.uk"

This spam email is not from Companies House but is instead a simple forgery with a malicious attachment.

From     web-filing@companies-house.gov.uk
Date     Wed, 01 Jul 2015 10:49:12 +0300
Subject     Document Order 534-550719-84513074/1


Order: 534-550719-84513074  29/06/2015 09:35:46

Companies House WebFiling order 534-550719-84513074/1 is attached.

Thank you for using the Companies House WebFiling service.

--
Email: enquiries@companies-house.gov.uk    Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email.  Please do not reply directly to this message.

In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:

http://demaiffe.be/75/85.exe

This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:

78.47.139.58 (Hetzner, Germany)

This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.

The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.

MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690

No comments: