Sponsored by..

Tuesday, 10 November 2015

Malware spam: "Itinerary #C003NS39" / "no-reply@clicktravel.com "

This rather terse fake business spam does not come from Click Travel but is instead a simple forgery with a malcious attachment:

From: no-reply@clicktravel.com [mailto:no-reply@clicktravel.com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39

Please see document attached

Attached is a file Hotel-Fax-V0045G2B_8308427510989318361.xls which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) downloads a component from:


So far I have only seen one sample of this, there are likely to be others with different download locations but the same binary. This executable file has a detection rate of 2/55 and that VirusTotal report and this Malwr report indicate traffic to the following IP: (Agava Ltd, Russia)

I strongly recommend blocking traffic to that IP address. The payload is the Dridex banking trojan.


1 comment:

MB said...

I've seen 2 more of this dridex downloader


Cheers M