Sponsored by..

Thursday, 5 May 2016

Malware spam: "DocuCentre-IV" / "Scan Data"

This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:

From:    DocuCentre-IV [DocuCentre1230@victimdomain.tld]
Date:    5 May 2016 at 10:27
Subject:    Scan Data

Number of Images: 1
Attachment File Type: PDF


Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1] [2] [3] [4] [5] [6]. Various automated analyses of these documents [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] show a binary being downloaded from the following locations:


This dropped file has a detection rate of 5/46. This Hybrid Analysis and this DeepViz report show subsequent network traffic to: (Digital Ocean, US) (Culturegrid.nl, Netherlands) (Southland Technology, US)

The characteristics of the payload suggest this is the Dridex banking trojan.

Recommended blocklist:

No comments: