Sponsored by..

Monday, 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Felix Holmes

Kirkburn Ind. Estate
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’

Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff ( - HostVision SRL, Romania) although other variants possibly exist.

A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs: (Tocici LLC, US) (netclusive GmbH, Germany) (Strato AG, Germany) (Digital Ocean, Germany)

The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:

No comments: