Sponsored by..

Monday 26 October 2015

Malware spam: "#NC-242455-Zmj Your Norwich Camping Order has shipped!" / sales@norwichcamping.co.uk

This fake financial spam does not come from Norwich Camping but is instead a simple forgery with a malicious attachment:

From     "Norwich Camping" [sales@norwichcamping.co.uk]
Date     Mon, 26 Oct 2015 13:43:14 +0430
Subject     #NC-242455-Zmj Your Norwich Camping Order has shipped!

You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.

Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55. The document contains this malicious macro [pastebin] which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe

Analysis of the document and the payload is pending (please check back later), it is most likely that it downloads the Dridex banking trojan.

UPDATE:

According to this Hybrid Analysis report version of the malicious document downloads an executable from:

img1.buyersbestfriend.com/76r56e87y8/65df78.exe

This has a VirusTotal detection rate of 5/55. That report indicates malicious traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

I recommend that you block traffic to that IP.

1 comment:

Jokstar said...

There is also another domain via another version of the document:
tranquilosurf.com/~info/76r56e87y8/65df78.exe

Report here:
https://www.hybrid-analysis.com/sample/11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50?environmentId=1

For us at 10:30 the emails switch to documents@phsonline.co.uk with attachment G-A0287580036267754265.doc which appears to be the same payload and contacts the same domains.