Sponsored by..

Monday, 10 August 2015

Malware spam: "Gabriel Daniel" / "Resume" / "Gabriel_Daniel_resume.doc"

This fake résumé comes with a malicious attachment:

From:    alvertakarpinskykcc@yahoo.com
Date:    10 August 2015 at 19:40
Subject:    Resume
Signed by:    yahoo.com

Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter

Kind regards

Gabriel Daniel
Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.

As far as I can tell, it appears to download a disguised JPG file from (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..

So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:


It also directs the visitor to various personalised ransom pages hosted on (Agava, Russia).

Recommended blocklist:


1 comment:

Rubin Azad said...
This comment has been removed by the author.