Sponsored by..

Friday 13 March 2015

Malware spam: "pentafoods.com" / "Invoice: 2262004"

This fake Penta Foods spam run is another variant of this and it comes with a malicious attachment. Penta Foods are not sending this email, instead it is a simple forgery.

From:    cc18923@pentafoods.com
Date:    13 March 2015 at 07:50
Subject:    Invoice: 2262004

Please find attached invoice :  2262004
  Any queries please contact us.

--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.

Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:

http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe

This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:

62.76.179.44 (Clodo-Cloud / IT House, Russia)

My sources also indicate that it phones home to:

212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)

According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.

Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12


No comments: