Sponsored by..

Monday 10 August 2015

Malware spam: "Gabriel Daniel" / "Resume" / "Gabriel_Daniel_resume.doc"

This fake résumé comes with a malicious attachment:

From:    alvertakarpinskykcc@yahoo.com
Date:    10 August 2015 at 19:40
Subject:    Resume
Signed by:    yahoo.com

Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter

Kind regards

Gabriel Daniel
Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.

As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..


So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:

conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01


It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).

Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay.com


MD5:
e34cf893098bd17ae9ef18b04cff58aa

1 comment:

Unknown said...
This comment has been removed by the author.