Sponsored by..

Friday, 29 January 2016

Malware spam: "Quick Question" / Resume.rtf

This spam leads to malware:

From:    Laurena Washabaugh [washabaugh.1946@rambler.ru]
Date:    29 January 2016 at 10:10
Subject:    Quick Question
Signed by:    rambler.ru

What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.

Best regards,

--
Laurena Washabaugh 

The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to:

89.248.166.131 (Quasi Networks, Seychelles)

I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)

2 comments:

Derek Knight said...

Analysis via a colleague
http://myonlinesecurity.co.uk/quick-question-resume-word-doc-or-excel-xls-spreadsheet-malware/

SmokinMokin said...

What can you do if you have opened the file...