From: Incoming Fax [Incoming.Fax@victimdomain]
Date: 18 September 2014 at 08:39
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
(#2023171)Renewal Invite Letter sp.exe
Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http://umontreal-ca.com/word/word.exe
This has a VirusTotal detection rate of 2/55.
umontreal-ca.com (89.144.10.200 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE:
This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
No comments:
Post a Comment