From: steve.tasker9791@thomashiggins.comSo far I have seen only a single example of this. Attached is a malicious Word document named 1913.doc [VT 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:
Date: 9 June 2015 at 10:41
Subject: Password Confirmation [490192125626] T82
Full document is attached
http://oakwindowsanddoors.com/42/11.exe
Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)
The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250
MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8
No comments:
Post a Comment