Sponsored by..

Friday 10 October 2014

Malware spam: "You've received a new fax" / "You have received a new secure message from BankLine"

A pair of malware spams this morning, both with the same payload:

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     10 October 2014 11:34
Subject:     You've received a new fax

New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:


(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"

From:     Bankline [secure.message@bankline.com]
Date:     10 October 2014 10:29
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:


You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.

According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:

No comments: