From: Mirjana Prgomet [mirjana@fokus-medical.hr]There is no body text, but the only example I saw had an attachment name of report20520159260[1].doc which contained this malicious macro [pastebin] which downloads a malicious executable from:
Date: 20 May 2015 at 08:26
Subject: Uplata po pon 43421
http://uvnetwork.ca/1/09.exe
This is saved as %TEMP%\eldshrt1.exe and has a VirusTotal detection rate of 3/56. There are probably other download locations with other variants of the document, but the payload should be the same in each case.
Automated analysis tools [1] [2] [3] indicate network traffic to the following locations:
31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 5/53.
Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214
MD5s:
7008675da5c1b0a6b59834d125fafa45
cef5555f191735867c34868c346501ad
1 comment:
"Uplata po pon.xxxx" or "Uplata po ponudi broj xxxx" means "Payment per offer no.xxxx"
Everybody wants to know who's pay them for something and they open that mail and att.
This is very successful way to spread malware!
Post a Comment