From: Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.
Date: 21 October 2015 at 10:15
Subject: INVOICE FOR PAYMENT - 7500005791
Hello
Please find attached an invoice that is now due for payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
Email: Lyn.Whitehead@lancashire.pnn.police.uk
********************************************************************************************
This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.
Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.
This e-mail has been scanned for the presence of computer viruses.
********************************************************************************************
The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.
Other analysis is pending please check back.
UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal. The Hybrid Analysis for both samples in inconclusive [1] [2].
UPDATE 2:
An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip.com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.
UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:
 |
| Source: Malwr.com |
The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.
UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:
www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe
At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49
Scan has just completed...
ReplyDeletehttps://www.hybrid-analysis.com/sample/e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337?environmentId=1
Sanesecurity ClamAV sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
Cheers,
Steve (Sanesecurity.com)
My sister received this and opened it and then because she was worried, forwarded it to me and I then opened it. We had no idea it was fake, what should we do? Is it likely to cause any damage? Thank you.
ReplyDeleteConrad,
ReplyDeletei had a look at the sample and the header does seem off a bit from a normal Doc. I used forensic tools to carved the file and was able to recover some of the Doc including the macros which I dumped to text files.
seems to be Dridex but it appears there is something not quite right about the doc file this could be accidental or something new. Maybe this will help in your analysis.
Adam
@Adam, there's an extra byte right at the beginning of the documents which is screwing it up. If you remove it, then the malware works normally (h/t @hahn_katja.
ReplyDeletelooks like it creates an exe in temp called HichAz2.exe
ReplyDelete@Conrad
ReplyDeleteSo it does, that will teach me to rely on 'File' command without manually checking :)
Thanks for the heads up
Adam
Just received one today, this one also had a read receipt
ReplyDeleteMine has a read-receipt for something ending .police.au !
ReplyDeleteIv'e had the same :( Any advice on how to get rid of this please :)
ReplyDelete100% malware. Got this output from emulating the doc file:
ReplyDeleteProcesses Spawned or Interacted with
C:\Windows\System32\conhost.exe (Started)
C:\Windows\System32\ntvdm.exe (Started)
Files Changed
C:\IO.SYS (Created)
C:\MSDOS.SYS (Created)
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe (Created ,Modified)
C:\Users\admin\AppData\Local\Temp\HichAz2.exe (Created ,Modified)
C:\Users\admin\AppData\Local\Temp\scsF98D.tmp (Created ,Deleted ,Modified)
C:\Users\admin\AppData\Local\Temp\scsF98E.tmp (Created ,Deleted ,Modified)
5/6
Malware Report
Unexpected Activities By Time
6
Elapsed Time Type Action
00:00:18
File Create
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe
00:00:18
File Write
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSW98R6Q\ih76dfr[1].exe
00:00:18
File Create
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\HichAz2.exe
00:00:18
File Write
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Temp\HichAz2.exe
00:00:18
Process Creation
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Windows\System32\ntvdm.exe
00:00:18
Process Creation
C:\Windows\System32\csrss.exe Created C:\Windows\System32\conhost.exe
00:00:19
File Create
C:\Windows\System32\ntvdm.exe Created C:\MSDOS.SYS
00:00:19
File Create
C:\Windows\System32\ntvdm.exe Created C:\IO.SYS
00:00:20
File Create
C:\Windows\System32\ntvdm.exe Created C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:20
File Write
C:\Windows\System32\ntvdm.exe Wrote To C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:21
File Create
C:\Windows\System32\ntvdm.exe Created C:\Users\admin\AppData\Local\Temp\scsF98E.tmp
00:00:21
File Write
C:\Windows\System32\ntvdm.exe Wrote To C:\Users\admin\AppData\Local\Temp\scsF98E.tmp
00:00:23
File Delete
C:\Windows\System32\ntvdm.exe Deleted C:\Users\admin\AppData\Local\Temp\scsF98D.tmp
00:00:23
File Delete
C:\Windows\System32\ntvdm.exe Deleted C:\Users\admin\AppData\Local\Temp\scsF98E.tmp
If you want to get rid of it, try the different scanners from different vendors. Like if you use Norton, try the Sophos scanner: https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
ReplyDeleteThanks Kristian, i'll run this now. :)
ReplyDeleteThanks to Kristian Samstad for the SOPHOS link. Shopos found the trojan on the desktop, for some reason... and removed it.
ReplyDeleteI accidentally clicked on a malware attachment "invoice_J-11671015.doc" and all my files (word. excel, ppt, pdf. jpeg) are corrupted. How do I fix this?
ReplyDeleteEmail: OwensTamara770@spectrumnet.bg
Dear Ahmed,
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
Tamara Owens
Energy Future Holdings Corp. www.energyfutureholdings.com
analyzing this file right now as part of a malware analysis class lol
ReplyDelete