Sponsored by..

Tuesday 28 April 2015

Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"

This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.

From:    richard will [contactwill@hotmail.com]
Date:    28 April 2015 at 09:05
Subject:    INVOICE PD Will Comm

Thank-you for your payment!

Richard Will

Will Communications, Inc.

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:


..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP: (RuWeb CJSC, Russia)

According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.


No comments: