Sponsored by..

Tuesday 31 March 2015

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:


which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs: (Docker Ltd / ArtVisio Ltd, Russia) (Webstyle Group LLC / Rohoster / MnogoByte, Russia) (Digital Ocean, Netherlands) (OneGbits, Lithuania) (Microtech Tel, US) (Cadr-TV LLE TVRC, Ukraine) (World Internetwork Corporation, Thailand) (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:


A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block: (Digital Networks CJSC aka DINETHOSTING, Russia)

No comments: