Sponsored by..

Wednesday 18 March 2015

Malware spam: "Confirmation of Booking" / "NWN Media Ltd" / "Della Richardson"

This spam is not from NWN Media Ltd but is instead a simple forgery sent out to random email addresses with a malicious attachment. NWN Media are not responsible for this spam, nor have their systems been compromised.

From:    della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]
Date:    18 March 2015 at 08:34
Subject:    Confirmation of Booking

This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.

Yours sincerely,

NWN Media Ltd
Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:


These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs: (Relink Ltd, Russaia) (Selectel Ltd, Russia) (OVH, France) (Clodo-Cloud / IT House, Russia) (Digital Networks CSJC aka DINETHOSTING / Russia)

It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]

Recommended blocklist:

No comments: