From: Interfax [uk@interfax.net]
Date: 13 November 2014 20:29
Subject: Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
Transmission Results Destination Fax: 00441616133969 Contact Name: 01616133969@fax.tc Start Time: 2014/11/13 20:05:27 End Time: 2014/11/13 20:29:00 Transmission Result: 3220 - Communication error Pages sent: 0 Subject: 140186561.XLS CSID: Duration (In Seconds): 103 Message ID: 485646629
Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net
Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe
This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:
http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E
It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53.
If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.
3 comments:
Good for you for taking action. I received your email with a link to your site. I certainly didn't send the offending message. blanchas@telus.net
There's a newer one new, but still based on Interfax and fax sending/receiving. It notifies the user of receiving a new "fax" which is a ".doc.js" packed in a .zip archive. Full writeup here.
Yes I'm also receiving packed js files from Interfax lately.
Obviously, there's no reason to send a fz as an executable.
Legit faxes would be pdfs or even jpgs.
Post a Comment