From: Mathew Doleman [order@lightmoorhomes.co.uk]The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663
The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
Developer metadata
Copyright© Microsoft Corporation. All rights reserved.Publisher Microsoft CorporationProduct Microsoft® Windows® Operating SystemOriginal name wmadmod.dllInternal name wmadmod.dllFile version 11.0.5721.5145 (WMP_11.061018-2006)Description Windows Media Audio DecoderPE header basic information
Target machine Intel 386 or later processors and compatible processorsCompilation timestamp 2014-12-05 06:30:06Entry Point 0x00006460Number of sections 3
74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)
The VirusTotal report shows it phoning home t:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com
No comments:
Post a Comment