From: Enid TysonIn this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department
http://79.137.227.123:8080/get1/get1.php
I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.
This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].
UPDATE:
A second version is going the rounds, with zero detections and a download location of
http://61.221.117.205:8080/get1/get1.php
A copy of the malicious macro can be found here.
No comments:
Post a Comment