From: cc18923@pentafoods.com
Date: 13 March 2015 at 07:50
Subject: Invoice: 2262004
Please find attached invoice : 2262004
Any queries please contact us.
--
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
Attached is a Word document R-1179776.doc which actually comes in two version, both with zero detection rates, contains one of two malicious macros [1] [2] which then download a component from the following locations:
http://accalamh.aspone.cz/js/bin.exe
http://awbrs.com.au/js/bin.exe
This is saved as %TEMP%\fJChjfgD675eDTU.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] show a phone-home attempt to:
62.76.179.44 (Clodo-Cloud / IT House, Russia)
My sources also indicate that it phones home to:
212.69.172.187 (Webagentur, Austria)
78.129.153.12 (iomart / RapidSwitch, UK)
According to this Malwr report it also drops a DLL with a detection rate of just 2/57 which is probably Dridex.
Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12
No comments:
Post a Comment