Sponsored by..

Tuesday 27 October 2015

Malware spam: "id:9828_My_Resume"

This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.

From:    Trinh [zhanxing1497kcuo@163.com]
Date:    27 October 2015 at 18:30
Subject:    id:9828_My_Resume
Signed by:    163.com

Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.

The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM (EuroByte LLC, Russia) and being POSTED to the following:


The first three are on and the second two are on which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.

The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.

Recommended blocklist:

This Tweet indicates that the payload is Cryptowall.

No comments: