From: Dan Bigelow [dan@express-insurance.net]
Date: 18 February 2015 at 09:18
Subject: Auto insurance apps and documents
Hello ,Please print “All” attached forms and sign and initial where I highlighted.Scan and email back to me or fax to me at 407-937-0511.Sincerely,Dan BigelowReferrals are important to us. If you know anyone who would benefit from our services, please contact me.We would appreciate the opportunity to work with them.
2636 West State Rd 434 # 112Longwood, Fl 32779Phone 407-215-7318Fax 407-386-1601
This spam does not actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple forgery with a malicious Word document attached.
There are actually at least two different versions of the document with zero detections [1] [2]. The macros are a bit too complex for pastebin, but you can download a ZIP here and here [password=infected].
Despite the difference, both seem to download from:
http://ecv.bookingonline.it/js/bin.exe
The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] indicate that it attempts to phone home to:
83.169.4.178 (Hosteurope, Germany)
202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.
Recommended blocklist:
83.169.4.178
202.44.54.5
66.110.179.66
No comments:
Post a Comment