From: QuintonAttached is a Word document with a random name, but always starting with "TAX_". Examples include:
Date: 23 January 2015 at 08:18
Subject: 2014 Tax payment issue
According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
Regards
Quinton
Tax Inspector
-----------------
From: Tara Morris
Date: 23 January 2015 at 09:28
Subject: Your tax return was incorrectly filled out
Attention: Accountant
This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros [1] [2] that download a file 20.exe from the following URLs:
http://37.139.47.221:8080/koh/mui.php
http://95.163.121.82:8080/koh/mui.php
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.
1 comment:
I got this one this morning. It reads like something from the 1990s with its "tax period" and "wrong legal address" and ending with that charming "regards".
I suppose the guys who write the complex macros in the attachments don't have the time to spend on the email itself.
Post a Comment