From: Incoming Fax [Incoming.Fax@victimdomain]
Date: 18 September 2014 at 08:39
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
(#2023171)Renewal Invite Letter sp.exe
Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
This has a VirusTotal detection rate of 2/55.
umontreal-ca.com (220.127.116.11 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
This Hybrid Analysis report shows traffic to the following IPs:
18.104.22.168 (Huntel.net, US)
22.214.171.124 (Online SAS, France)
126.96.36.199 (OVH, Canada)
188.8.131.52 (Leaseweb, Netherlands)