Sponsored by..

Wednesday 4 March 2015

Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"

This rather terse email comes with a malicious attachment:
From:    John Donald [john@kingfishermanagement.uk.com]
Date:    4 March 2015 at 09:09
Subject:    Document1
There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:


Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] show attempted network traffic to the following IPs: (MWTV, Latvia) (Net3, US) (OneGbits, Lithunia) (Gameservers.com / Choopa LLC, Netherlands)

According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.

Recommended blocklist:

No comments: