From: Lawrence Fisher [l.fisher@taghire.co.uk]So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield
Tel: 020 3750 0638
Description: 150px Crop Background Remove Logo
This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
http://laikah.de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,
This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57. Automated reporting tools [1] [2] [3] show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70
No comments:
Post a Comment