Sponsored by..

Thursday 12 February 2015

Malware spam: "Minuteman Press West Loop" / "westloop@minutemanpress.com" / "INVOICE 1398 - FEB 4 2015"

This fake invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email forgery.

From:    Minuteman Press West Loop [westloop@minutemanpress.com]
Reply-To:    westloop@minutemanpress.com
Date:    12 February 2015 at 09:00
Subject:    INVOICE 1398 - FEB 4 2015

(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)

Thank you for your business.

Julio Lopez  |  Design Manager  |  Minuteman Press West Loop
1326 W. Washington Blvd.  |  Chicago, IL 60607
p 312.291.8966  |  f 312.929.2472  |
I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57  and contains this malicious macro which downloads a second component from:


This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:

The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.

No comments: