Sponsored by..

Thursday, 14 January 2016

Malware spam: "Message from local network scanner" / Scann16011310150.docf

This fake document scan comes with a malicious attachment.
From:    jpaoscanner@victimdomain.tld
Date:    14 January 2016 at 10:45
Subject:    Message from local network scanner
There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.

Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.

Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.


Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:


This has a detection rate of 3/55. That same analysis reports that it phones home to: (PlusServer AG, France)

I strongly recommend that you block traffic to that IP.


These two Malwr reports [1] [2] reveal some additional download locations:


1 comment:

Hugh Gillespie said...

I have received this message, with a doc suffix without the f. I have tried and failed to delete it, or to move it to my deleted folder.