From web-filing@companies-house.gov.uk
Date Wed, 01 Jul 2015 10:49:12 +0300
Subject Document Order 534-550719-84513074/1
Order: 534-550719-84513074 29/06/2015 09:35:46
Companies House WebFiling order 534-550719-84513074/1 is attached.
Thank you for using the Companies House WebFiling service.
--
Email: enquiries@companies-house.gov.uk Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email. Please do not reply directly to this message.
In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:
http://demaiffe.be/75/85.exe
This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:
78.47.139.58 (Hetzner, Germany)
This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.
The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.
MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690


 
 
No comments:
Post a Comment