Sponsored by..

Tuesday, 28 July 2015

Malware spam: "Incoming Fax" / "Internal ONLY"

This fake fax message leads to malware:

From:    Incoming Fax [Incoming.Fax@victimdomain]
Date:    18 September 2014 at 08:39
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

(#2023171)Renewal Invite Letter sp.exe

Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:

http://umontreal-ca.com/word/word.exe

This has a VirusTotal detection rate of 2/55.

umontreal-ca.com (89.144.10.200 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.

UPDATE:
This Hybrid Analysis report shows traffic to the following IPs:

67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)

Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208

No comments: