Sponsored by..

Monday, 1 February 2016

Malware spam: Scanned image from copier@victimdomain.tld

This fake document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple forgery with a malicious attachment.

From:    copier@victimdomain.tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@victimdomain.tld

Reply to: copier@victimdomain.tld [copier@victimdomain.tld]
Device Name: COPIER
Device Model: MX-2310U

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:


This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to: (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.


Francesco Ferraro said...


Italian version....

VM said...

Thank you, I humbly post link to Czech version.


Thank you.

Vaclav Malek