Sponsored by..

Friday, 29 January 2016

Malware spam: "Quick Question" / Resume.rtf

This spam leads to malware:

From:    Laurena Washabaugh [washabaugh.1946@rambler.ru]
Date:    29 January 2016 at 10:10
Subject:    Quick Question
Signed by:    rambler.ru

What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.

Best regards,

Laurena Washabaugh 

The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to: (Quasi Networks, Seychelles)

I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)


Derek Knight said...

Analysis via a colleague

SmokinMokin said...

What can you do if you have opened the file...