Sponsored by..

Tuesday 9 June 2015

Malware spam: "Password Confirmation [490192125626] T82"

This spam email message comes with a malicious attachment:
From:    steve.tasker9791@thomashiggins.com
Date:    9 June 2015 at 10:41
Subject:    Password Confirmation [490192125626] T82

Full document is attached
So far I have seen only a single example of this. Attached is a malicious Word document named 1913.doc [VT 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://oakwindowsanddoors.com/42/11.exe

Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)


The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250

MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8

No comments: