Sponsored by..

Tuesday 11 November 2014

"Duplicate Payment Received" spam has a malicious Word DOC attached

This email comes with a malicious Word document attached:

From:     Margery George
Date:     11 November 2014 11:50
Subject:     INV634746Q Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £689.75 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks 
The reference number in the subject is randomly generated and is reflected in the filename (in this case De_634746Q.doc. There are two different variants I have seen with low detection rates at VirusTotal [1] [2]. These contain two slightly different malicious macros [1] [2] [pastebin] which download a file test.exe from one of the following locations:

http://62.76.180.133/get/get.php
http://62.76.189.108/get/get.php


Note that the IPs are very close, and both belong to Clodo-Cloud / IT House Ltd in Russia. The file is then copied to %TEMP%\NYHEFLJDPZR.exe which has a VirusTotal detection rate of just 1/53.

According to the Malwr report this malicious binary then connects to the following URLs:

http://178.254.57.146/6e@YL/Pjys_~ik/XTuG_XcFEWZpmmB%2C
http://213.140.115.29/G7uwLNQS7fpyGnLHM6qt.HlqA%7Ekp/$O%20FlsN%2C9%3FnC52/wmk.ka.JM%3D%7EpuQ8.I5.4S5
http://213.140.115.29/tUoRAgJ%3DK9V/iwrsseF9oo+z%2DO%2BpbMS/ZY%2BuPUzJI6
http://213.140.115.29/uf432orqHmh&ihs/%24p2z7El%3Fe6ea%2D%2Cxg8_zbu2$zF7t%26j$73sS%2B/%2B%3F3w%2Dh%3D


It also drops a malicious DLL identified which has some generic VirusTotal detection only, but is probably Cridex or Dridex.

Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108


2 comments:

Chris said...

Hi, these VBA's are becoming quite complicated. Have you found any automated methods to debug them ? Im jumping straight to a breakpoint on the .SEND method but was thinking there may be a way to use the CSCRIPT/WSCRIPT dos command line VBA interpreter and pull variable values out that way, which could providing a way to analyze these malicious word documents in bulk.

Conrad Longmore said...

@Chris: once you extract the macro it isn't so difficult to debug, but it keeps getting obfuscated in ways that make it hard to do automatically I guess.