Sponsored by..

Wednesday 22 July 2015

Malware spam: HMRC application with reference XXXX XXXX XXXX XXXX received / noreply@hmrc.gov.uk

These spam emails do not come from HMRC (the UK tax office) but are instead a simple forgery with a malicious attachment.
From:    noreply@hmrc.gov.uk [noreply@hmrc.gov.uk]
Date:    22 July 2015 at 13:19
Subject:    HMRC application with reference 5CSS 1QDX 27KH LRFM received

The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC)  has been received and will now be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.

According to this Hybrid Analysis report the embedded macro contacts the following hosts to download components:

vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt

This includes another malicious script. This then leads to the download of a malicious binary from:

anacornel.com/images/desene/united.exe

This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.

MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff

UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.

No comments: