Sponsored by..

Thursday, 5 November 2015

Malware spam: "Document from AL-KO" / info@alko.co.uk

This spam does not come from AL-KO but is instead a simple forgery with a malicious attachment:

From     [info@alko.co.uk]
Date     Thu, 05 Nov 2015 16:33:40 +0530
Subject     Document from AL-KO

This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

Document from AL-KO.doc
Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:


There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses [5] [6] show network traffic to: (Digital Ocean, Singapore) (Cablevision, US)

The payload appears to be the Dridex banking trojan.

Recommended blocklist:

1 comment:

Unknown said...

Can add deklompjes.nl/~maurice/f75f9juu/009u98j9.exe as a 2nd stage download point