Sponsored by..

Wednesday, 17 February 2016

Malware spam: tracking documents / cmsharpscan@gmail.com

This fake document scan spam has a malicious attachment:

From:    cmsharpscan3589@gmail.com
Date:    17 February 2016 at 14:32
Subject:    tracking documents

Reply to: cmsharpscan@gmail.com [cmsharpscan@gmail.com]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
I have only seen a single sample of this with an attachment cmsharpscan@gmail.com_20160217_132046.docm which has a VirusTotal detection rate of 7/54. According the the Malwr analysis of the document, the payload is the Locky ransomware and is identical to the earlier attach described here.

1 comment:

Dávid Müller said...

Other hosts the variants triyng to download the binary:
81.177.135.111 blitz174.ru /system/smsgate/7623dh3f.exe?.7055475
81.177.135.22 gorb82.myjino.ru /system/logs/7623dh3f.exe?.7055475
5.101.152.85 terem37.ru /system/logs/7623dh3f.exe?.7055475
195.20.11.76 feestineendoos.nl /system/logs/7623dh3f.exe?.7055475
86.104.3.165 electro-cablaj.ro /system/logs/7623dh3f.exe?.7055475
94.73.151.160 wmodam.com /system/logs/7623dh3f.exe?.7055475
185.79.250.2 nadeenk.sa /system/logs/7623dh3f.exe?.7055475
77.240.123.179 accesorios .nuestroservidor.es/system/logs/7623dh3f.exe?.7055475
176.114.0.200 olvikt.freedomain.thehost.com.ua /admin/js/7623dh3f.exe?.7055475

Deathbaron