Sponsored by..

Tuesday, 28 April 2015

Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"

This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.

From:    richard will [contactwill@hotmail.com]
Date:    28 April 2015 at 09:05
Subject:    INVOICE PD Will Comm

Thank-you for your payment!

Richard Will

Will Communications, Inc.
richard@willcommunications.com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:

http://massachusettsselfstorage.com/62/927.exe

..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:

185.12.95.191 (RuWeb CJSC, Russia)

According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.

MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846

No comments: