From: John Donald [john@kingfishermanagement.uk.com]There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 4 March 2015 at 09:09
Subject: Document1
http://retro-moto.cba.pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33
No comments:
Post a Comment