Sponsored by..

Friday 5 September 2014

Shakira death hoax email comes with a malicious Word document

This Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro.

From:     El Universal [eluniversal@eluniversal.org]
Date:     5 September 2014 14:50
Subject:     Shakira muere en grave accidente

Muere Shakira en grave accidente

Esta madrugada a las 1:10 A.M. en el barrio la Macarena, Colombia. La conocida cantante e intérprete Shakira Isabel Mebarak Ripoll, sufrió un grave accidente automovilístico en el cual perdio la vida. Abordo del vehículo también se encontraba su manager, que quedó con heridas graves. Testigos, dicen que el auto conducido por este último, se dirigia a exceso de velocidad..

Para ver imágenes exclusivas y detalles de la noticia adjuntamos un documento con toda la información sobre este trágico acontecimiento.

Ampliaremos.

El Universal © todos los Derechos Reservados  2014.
This approximately translates as:

Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..

To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.
When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:


The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC.

This malicious document has a VirusTotal detection rate of just 2/54. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www.papeleriaelcid.com/aurora/ajax/

This type of spam seems to commonly target Spanish-speaking South American victim (like this one).

In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V.").

Blocking the papeleriaelcid.com site and rejecting emails from 207.150.195.247 might be wise if you have Spanish-speaking users.




No comments: