Sponsored by..

Tuesday 30 June 2015

Malware spam: "Donna Vipond" / "donna.vipond@ev-ent.co.uk" / "Payment due - 75805"

This fake invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:

From     "Donna Vipond" [donna.vipond@ev-ent.co.uk]
Date     Tue, 30 Jun 2015 13:13:28 +0100
Subject     Payment due - 75805

Please advise when we can expect to receive payment of the attached
invoice now due?  I await to hear from  you.

Kind Regards

Donna Vipond

Accounts

Event Furniture Ltd T/A Event Hire

Tel: 01922 628961 x 201
Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report [1] [2]). The samples I saw downloaded a file from either:

www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe


This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).

The payload is probably the Dridex banking trojan.

Recommended blocklist:
78.47.139.58

MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce

No comments: