Sponsored by..

Tuesday 6 October 2015

Malware spam: "Copy of Invoice(s)" / "Anny Beckley [Anny@hammondsofknutsford.co.uk]"

This fake financial spam does not come from Hammonds of Knutsford but is instead a simple forgery with a malicious attachment:

From     Anny Beckley [Anny@hammondsofknutsford.co.uk]
Date     Tue, 06 Oct 2015 12:29:23 +0430
Subject     Copy of Invoice(s)

Please find attached a copy of Invoice Number(s) 82105
In the two samples that I have seen, the attached file was named Q_46Q0VWHU4.DOC with a VirusTotal detection rate of 7/56. This document contains a malicious macro [pastebin] which downloads a further component from the following location:

rothschiller.net/~medicbt9/65yg3f3/43g5few.exe

This currently has a detection rate of just 1/56 and it appears to be saved as %TEMP%\rrdDhhm.exe Note that there are usually several different document versions spammed out with different download locations, but the payload is the same in every case.

Automated analysis is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE: 
The Hybrid Analysis report for the document is here and the analysis of the dropped executable is here showing the malware phoning home to 84.246.226.211 (ELB Multimedia, France)

No comments: