Sponsored by..

Thursday 10 December 2015

Malware spam: "STMT ACWL-15DEC12-120106" / "accounts@mamsoft.co.uk [statements@mamsoft.co.uk]"

This fake financial email does not come from MAM Software but is instead a simple forgery with a malicious attachment.

From:    accounts@mamsoft.co.uk [statements@mamsoft.co.uk]
Date:    10 December 2015 at 11:35
Subject:    STMT ACWL-15DEC12-120106

The following are attached to this email:
XACWL-15DEC12-120106.DOC
Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54. According to the Malwr analysis, it downloads a file from:

life.1pworks.com/76t7h/76gjk.exe

There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54 and according to this Malwr report it contacts:

136.145.86.27 (University Of Puerto Rico, Puerto Rico)

Other analysis is pending, in the meantime I recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan.

MD5s:
6e8f48e7d53ac2c8f7b863078e9050b2
fbf7c8c4f90fcfdf284c3624d6baedf7

1 comment:

Mr Windy said...

Just received this one to. I viewed it as a txt file and the line "P r o j e c t . T h i s D o c u m e n t . a u t o o p e n " rang alarm bells...