Sponsored by..

Wednesday 11 March 2015

Malware spam: Message from "RNP0026735991E2" / "inv.09.03"

This pair of spam emails are closely related and have a malicious attachment:

From:    admin.scanner@victimdomain
Date:    11 March 2015 at 08:49
Subject:    Message from "RNP0026735991E2"

This E-mail was sent from "RNP0026735991E2" (MP C305).

Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain

Attachment: 201503071457.xls

From:    Jora Service [jora.service@yahoo.com]
Date:    11 March 2015 at 09:27
Subject:    inv.09.03

Attachment: INV 86-09.03.2015.xls

Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:


The file is then saved as %TEMP%\fJChjfgD675eDTU.exe  which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs: (TimeWeb Co. Ltd, Russia) (FPT Telecom Company, Vietnam) (Relink Ltd, Russia) (OneGbits, Lithuania) (Net3, US) (TheFirst.RU, Russia)

It also drops a couple more malicious binaries with the following MD5s:

8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]

Recommended blocklist:

No comments: