Date: Wed, 30 Jul 2014 17:06:27 +0530 [07:36:27 EDT]Actually the body text isn't completely blank but does contain some bits of HTML.
From: Twila Garner [3f418d9@consolacionburriana.com]
Subject: Order status -950533 30.07.2014.xls
<html>
<head>
<XSSCleaned_taghttp-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
</
But the payload is the thing, in this case there is an archivecalled 950533-30.07.2014.zip containing a folder order-8301138-30.07.2014.xls which in turn contains a malicious executable order-8301138-30.07.2014.xls.exe which has a VirusTotal detection rate of 6/54.
The Comodo CAMAS report shows attempted downloads from the following connections:
jobengine.in/333
legusadvantage.com/333
davidtaylorartist.com/333
asustabletservisi.com/333
mycustomkidsbooks.com/333
redhorsesolutions.com/333
tencoolthings.com/333
wwwtokiodesign.com/333
extreme-bdsm-comics.com/333
A second file is downloaded from these locations with a VT detection rate of just 2/54. The CAMAS report is inconclusive.
I recommend the following blocklist:
jobengine.in
legusadvantage.com
davidtaylorartist.com
asustabletservisi.com
mycustomkidsbooks.com
redhorsesolutions.com
tencoolthings.com
wwwtokiodesign.com
extreme-bdsm-comics.com
No comments:
Post a Comment