From: Monika [monika.goetz@bigk.co.uk]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.Kind regards,Monika GoetzSales & Marketing Co-ordinator
The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro [pastebin] which attempts to download a binary from:
http://solutronixfze.com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56 and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them.
It also drops a DLL with a VirusTotal detection rate of 2/57. The payload appears to be the Dridex banking trojan.
See also this post about a related spam run also in progress this morning.


 
 
No comments:
Post a Comment