Sponsored by..

Thursday 11 September 2014

"rooms reservation" spam leads to a malicious Word document

This fake hotel booking email has a malicious Word document attached:
From:     Zorita [info@convividautore.it]
Date:     11 September 2014 15:02
Subject:     rooms reservation

Dear Hotel Manager,

I would like to reserve accommodation for 5 single rooms in your hotel for 7 nights for 5 guests.

Arrival date will be on 16 September.

List any special requirements attached to letter.

Thank you for your prompt attention to the above, I look forward to receiving a letter confirming my reservation.

Kind Regards
The Word document attempts to persuade the victim to remove the security settings from the application:


The text says:
This error usually occurs because of macro security settings.  To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings. If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro. In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification. Click OK in the Trust Center dialog box to apply the new setting. Click OK to close the program options dialog box. Close the file and the Microsoft  Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.
The document itself has a VirusTotal detection rate of 9/54.

If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (77.81.241.104) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:

cityhotlove.com/datastat/datacoll.php (109.120.177.164)
cyklopesek.cz/css/r.pack (90.182.221.59)



I would recommend blocking the following:
109.120.177.164
cityhotlove.com
cyklopesek.cz
colfdoc.it

No comments: