Sponsored by..

Tuesday 16 July 2013

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!


Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47.  In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:

MD5   935e5cacde136d006ea1bb1201a3e6ef
SHA1   bc876d53ad002f1d6fd994d6717372f374d5e6dc
SHA256   8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c

The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com (Radore Veri Merkezi Hizmetleri A.S, Turkey) (Softlayer, US) (Chungwa Telecom, Taiwan) (Hetzner, US) (Razor Inc, US)

classified.byethost11.com (Enet / XLHost, US)

myhomes.netau.net (Main Hosting, US)

UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).

Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.

Recommended blocklist:

Additional IPs for Zbot component:

No comments: