From: Circor [_CIG-EDI@circor.com]Don't be fooled by the email signature, the attachment is definitely nasty. So far I have only seen one version with a detection rate of 4/55, which contains a malicious macro [pastebin] that downloads a component from:
Date: 3 February 2015 at 09:56
Subject: CIT Inv# 15000375 for PO# SP14161
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
http://gloo.ng/js/bin.exe
..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before:
143.107.17.183 (Universidade De Sao Paulo, Brazil)
92.63.88.108 (MWTV SIA, Latvia)
It also drops a DLL with a detection rate of 3/56.
Recommended blocklist:
143.107.17.183
92.63.88.108
2 comments:
Just received this to a my company E-mail 11/02/2015 I DID not open attachement Just deleted AVG Didn't pick up the malware. Word Doc Name FOPRT01.DOC.
Just had this at a works email address also; same details as 'Wildcat'
Post a Comment