Sponsored by..

Wednesday 2 December 2015

Malware spam: "Your Adler Invoice No. UK 314433178 IN" / "service@adlerglobal.com"

This fake financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery, It is meant to have a malicious attachment, but all of the samples I have seen are malformed.

From:    service@adlerglobal.com
Date:    2 December 2015 at 11:36
Subject:    Your Adler Invoice No. UK 314433178 IN

Dear Customer,

Thank you very much for having placed your order with Adler.

Your goods have been shipped. Please see attached invoice for payment of
your order.

For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).

If you have any questions, feel free to contact us.

Best Regards,
Your Adler Customer Service Team

Adler Manufacturing Limited
Eastgate House, 35-43 Newport Road
Cardiff CF24 0AB
Tel.: 0800 0087 555
Fax 0800 0087 666
www.adlerglobal.com

Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:

vanoha.webzdarma.cz/4367yt/p0o6543f.exe
det-sad-89.ru/4367yt/p0o6543f.exe

These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55.  Those earlier Malwr reports indicate malicious traffic to:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
a68b72fbfb76964261a3601daa270647
5bb6f5b6dcd693af4c13e73bc6b7ed48
e81b373b90b0124b31648aa3a50ae2e7



No comments: