Sponsored by..

Monday 4 August 2014

"Invoice 2014080420" spam

This spam has a malicious attachment:
Date:      Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From:      Accounts Dept [tolvan.rover@btinternet.com]
Subject:      Invoice 2014080420 dynamoo

This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.

There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.

UPDATE
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.

No comments: