Sponsored by..

Tuesday, 28 July 2015

Malware spam: "Incoming Fax" / "Internal ONLY"

This fake fax message leads to malware:

From:    Incoming Fax [Incoming.Fax@victimdomain]
Date:    18 September 2014 at 08:39
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

(#2023171)Renewal Invite Letter sp.exe

Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:


This has a VirusTotal detection rate of 2/55.

umontreal-ca.com ( / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.

This Hybrid Analysis report shows traffic to the following IPs: (Huntel.net, US) (Online SAS, France) (OVH, Canada) (Leaseweb, Netherlands)

Recommended blocklist:

No comments: