Sponsored by..

Monday 1 June 2015

Malware spam: "simonharrington@talktalk.net" / "Subject: Emailing: slide1"

This malware spam arrived in my mailbox in a somewhat mangled state.
From:    Simon Harrington [simonharrington@talktalk.net]
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
  Instead of having an attachment, it has a Base 64 encoded section like this:


As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].

This macro downloads a malicious component from:


Which has a VirusTotal detection rate of 7/56.  This Malwr report shows it communicating with the same IPs we saw earlier: (Selectel Network, Russia) (Digital Ocean, US) (Digital Ocean, Netherlands) (Hetzner, Germany)

It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.

Recommended blocklist:


Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells  (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..

No comments: