Sponsored by..

Wednesday 21 October 2015

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com
..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)


The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

15 comments:

Steve Basford said...

Scan has just completed...

https://www.hybrid-analysis.com/sample/e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337?environmentId=1

Sanesecurity ClamAV sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell

Cheers,
Steve (Sanesecurity.com)

Anonymous said...

My sister received this and opened it and then because she was worried, forwarded it to me and I then opened it. We had no idea it was fake, what should we do? Is it likely to cause any damage? Thank you.

Adam Hughes said...

Conrad,

i had a look at the sample and the header does seem off a bit from a normal Doc. I used forensic tools to carved the file and was able to recover some of the Doc including the macros which I dumped to text files.

seems to be Dridex but it appears there is something not quite right about the doc file this could be accidental or something new. Maybe this will help in your analysis.

Adam

Conrad Longmore said...

@Adam, there's an extra byte right at the beginning of the documents which is screwing it up. If you remove it, then the malware works normally (h/t @hahn_katja.

Adam Hughes said...

looks like it creates an exe in temp called HichAz2.exe

Adam Hughes said...

@Conrad

So it does, that will teach me to rely on 'File' command without manually checking :)

Thanks for the heads up

Adam

Scuba Dude said...

Just received one today, this one also had a read receipt

ColinS said...

Mine has a read-receipt for something ending .police.au !

Steve the ginger panther said...

Iv'e had the same :( Any advice on how to get rid of this please :)

Unknown said...

100% malware. Got this output from emulating the doc file:

Processes Spawned or Interacted with
C:\Windows\System32\conhost.exe (Started)
C:\Windows\System32\ntvdm.exe (Started)

Files Changed
C:\IO.SYS (Created)
C:\MSDOS.SYS (Created)
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe (Created ,Modified)
C:\Users\admin\AppData\Local\Temp\HichAz2.exe (Created ,Modified)
C:\Users\admin\AppData\Local\Temp\scsF98D.tmp (Created ,Deleted ,Modified)
C:\Users\admin\AppData\Local\Temp\scsF98E.tmp (Created ,Deleted ,Modified)

5/6
Malware Report
Unexpected Activities By Time
6
Elapsed Time Type Action
00:00:18

File Create
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe
00:00:18

File Write
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe
00:00:18

File Create
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\HichAz2.exe
00:00:18

File Write
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Temp\HichAz2.exe
00:00:18

Process Creation
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Windows\System32\ntvdm.exe
00:00:18

Process Creation
C:\Windows\System32\csrss.exe Created C:\Windows\System32\conhost.exe
00:00:19

File Create
C:\Windows\System32\ntvdm.exe Created C:\MSDOS.SYS
00:00:19

File Create
C:\Windows\System32\ntvdm.exe Created C:\IO.SYS
00:00:20

File Create
C:\Windows\System32\ntvdm.exe Created C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:20

File Write
C:\Windows\System32\ntvdm.exe Wrote To C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:21

File Create
C:\Windows\System32\ntvdm.exe Created C:\Users\admin\AppData\Local\Temp\scsF98E.tmp
00:00:21

File Write
C:\Windows\System32\ntvdm.exe Wrote To C:\Users\admin\AppData\Local\Temp\scsF98E.tmp
00:00:23

File Delete
C:\Windows\System32\ntvdm.exe Deleted C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:23

File Delete
C:\Windows\System32\ntvdm.exe Deleted C:\Users\admin\AppData\Local\Temp\scsF98E.tmp

Unknown said...

If you want to get rid of it, try the different scanners from different vendors. Like if you use Norton, try the Sophos scanner: https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

Steve the ginger panther said...

Thanks Kristian, i'll run this now. :)

Unknown said...

Thanks to Kristian Samstad for the SOPHOS link. Shopos found the trojan on the desktop, for some reason... and removed it.

Ahmed said...

I accidentally clicked on a malware attachment "invoice_J-11671015.doc" and all my files (word. excel, ppt, pdf. jpeg) are corrupted. How do I fix this?

Email: OwensTamara770@spectrumnet.bg

Dear Ahmed,

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!
Tamara Owens
Energy Future Holdings Corp. www.energyfutureholdings.com

Unknown said...

analyzing this file right now as part of a malware analysis class lol