From: invoice@booking.comThe only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:
Date: 27 April 2015 at 08:55
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
Dear customer,
Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail: ).
Thank you for working with Booking.com.
http://voipconcerns.com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.
MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe
No comments:
Post a Comment