Sponsored by..

Thursday, 16 July 2015

Malware spam: "Excelent job !" / "Good achievement !"

These spam emails appear to have randomly-generated text, which would account for the strange language.. and they come with a malicious attachment:

Date:    16 July 2015 at 12:53
Subject:    Excelent job !

Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management


Date:    16 July 2015 at 11:53
Subject:    Good achievement !

Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management 
Attached is a malicious Word document which in the two samples I saw was called

Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55. Inside the document is this malicious macro [pastebin], which (according to Hybrid Analysis) downloads several components (scripts and batch files) from:


These are executed, then a malicious executable is downloaded from:


This has a VirusTotal detection rate of 8/55 and that report plus other automated analysis tools [1] [2]  phones home to the following malicious URLs:<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ<MACHINE_NAME>/41/7/4/

That IP belongs to C2NET in the Czech Republic. It also send non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.

This malware drops the Dyre banking trojan.

Recommended blocklist:


No comments: