From: Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:
Date: 24 December 2014 at 07:54
Subject: Signature Invoice 44281
Your report is attached in DOC format.
To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe
The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:
74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)
According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.
Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk
This comment has been removed by the author.
ReplyDeleteConrad. What do you use to analyse these macros and get the download locations of the Dridex
ReplyDelete@Derek, you can extract the macro with OfficeMalScanner and then it is a question of deobfuscating the VB script. Because it's an interpreted language, that can be fairly easy (you can use its own code against it).
ReplyDelete