From: Therese HoldenThe attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://144.76.153.36:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.
Date: 4 November 2014 13:59
Subject: Remittance Advice November FO1864232P
Dear Sir/Madam
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Regards,
Therese Holden
Accounts Payable Department DUCO
The Malwr report shows that the malware reaches out to the following URLs:
http://91.222.139.45/%26RNB2/hs3SILqWzl1%24x%20/rI9sI
http://213.140.115.29/9m0/xvgsH.jTg@/NsY/75/0b50
http://213.140.115.29/1u1mS$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/
http://213.140.115.29/ktp6rp3vnx/x%7Egxlkki%20%2D56g%7E%20=&%3Fg%3Fx4j/r+~f6j%7Efwin%2Bcywc/%24yxvmo
It also drops a DLL on the system identified by VirusTotal as Cridex.
Recommended blocklist:
91.222.139.45
213.140.115.29
144.76.153.36
3 comments:
Just finished my analysis 5 minutes ago, see malwr report below along with the "dropper" url encoded in the macro which was different from the one you've found.
178.77.73.206
https://malwr.com/analysis/NzA5NWJmNmU5Y2E2NDEwM2E0MzlhY2Q4OWRlZWU0MjE/
Regards,
Jake
http://sanesecurity.blogspot.co.uk/2014/11/remittance-advice-november-word-malware.html
I think usually there are a few different versions of the document, so far I have only seen two samples which the same document attached.
Post a Comment