Sponsored by..

Friday 5 December 2014

"Mathew Doleman" / "lightmoorhomes.co.uk" spam comes with a malicious Word document

This spam came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.

From:     Mathew Doleman [order@lightmoorhomes.co.uk]
Date:     5 December 2014 at 08:32
Subject:     Order no. 98348936010

Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.

Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB

Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)

Best regards,
Sales Department
Mathew Doleman
+07966 566663
The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].

The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
Developer metadata
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name wmadmod.dll
Internal name wmadmod.dll
File version 11.0.5721.5145 (WMP_11.061018-2006)
Description Windows Media Audio Decoder
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-12-05 06:30:06
Entry Point 0x00006460
Number of sections 3
The ThreatTrack report and ThreatExpert report indicate traffic to the following locations that you wouldn't expect a legitimate MS application to call home to:

74.208.11.204 (1&1 Internet, US)
203.172.141.250 (Ministry of Education, Thailand)

The VirusTotal report shows it phoning home t:

46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)

Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish.com

No comments: