From: [1NAV PROD RCS] [mailto:donotreply@royal-canin.fr]
Subject: Order Confirmation RET-385236 250615
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:
http://colchester-institute.com/708/346.exe
Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.
According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs:
68.169.49.213 (Strategic Systems Consulting, US)
87.236.215.151 (OneGbits, Lithuania)
2.185.181.155 (ASDL Subscriber, Iran)
Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155
No comments:
Post a Comment