Sponsored by..

Tuesday, 8 December 2015

Malware spam: "EXB (UK) Ltd Invoice" / "Sales [sales@exbuk.co.uk]"

This fake financial spam does not come from EXB (UK) Ltd but is instead a simple forgery with a malicious attachment.

From:    Sales [sales@exbuk.co.uk]
Date:    8 December 2015 at 12:03
Subject:    EXB (UK) Ltd Invoice

Dear Sirs,

Please find attached our invoice, Thank you for your order

Best Wishes

EXB (UK) Ltd
Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and which contain a complex macro [pastebin] that fails to run in automated analysis tools [4] [5] [6] [7] [8] [9].

The payload (if it works) is likely to be the Dridex banking trojan.

UPDATE
According to the comments on this post plus some other sources, the macros in these documents download from:

cabezasdealambre.eu/76re459/98uy76t.exe
mfmanastacio.com/76re459/98uy76t.exe
216.119.110.104/76re459/98uy76t.exe


That payload is identical to the one found in this earlier spam run.

1 comment:

Ricardo Dias said...

Hi,

The function pzone3 decodes the URI using var intPosition and int 42. Convert intPosition to a list in python and decode it using:
---
a = [5284, 5296, 5296, ... , 5281, 5300, 5281]
''.join([chr(i-9*42-4802) for i in a])
'hXXp://mfmanastacio.com/76re459/98uy76t.exe'
---

The hash:
0316dbd20fbfd5a098cd8af384ca950f 98uy76t.exe

VT lnk 4/54:
hXXps://www.virustotal.com/en/file/f32547b5bb4abe56e6ba6ba0676466735ce8aa50be4beb1d90e43438c7296030/analysis/1449579719/

Sandbox analysis:
hXXps://www.hybrid-analysis.com/sample/f32547b5bb4abe56e6ba6ba0676466735ce8aa50be4beb1d90e43438c7296030?environmentId=1