From: Minuteman Press West Loop [westloop@minutemanpress.com]I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57 and contains this malicious macro which downloads a second component from:
Reply-To: westloop@minutemanpress.com
Date: 12 February 2015 at 09:00
Subject: INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez | Design Manager | Minuteman Press West Loop
1326 W. Washington Blvd. | Chicago, IL 60607
p 312.291.8966 | f 312.929.2472 |
http://ecinteriordesign.com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57. Automated analysis tools [1] [2] [3] show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago.
No comments:
Post a Comment