Sponsored by..

Friday 21 November 2014

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:     Enid Tyson
Date:     21 November 2014 15:36
Subject:     INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department
In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

http://79.137.227.123:8080/get1/get1.php

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

UPDATE:
A second version is going the rounds, with zero detections  and a download location of

http://61.221.117.205:8080/get1/get1.php

A copy of the malicious macro can be found here.

No comments: