Sponsored by..

Wednesday, 7 October 2015

Malware spam: "Scanned document from MX-2600N"

This fake scanned document has a malicious payload attached.:

From:    xerox@victimdomain.tld
Reply-To:    xerox@victimdomain.tld
Date:    7 October 2015 at 10:08
Subject:    Scanned document from MX-2600N


Reply to: xerox@victimdomain.tld victimdomain.tld
>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.Attached is a file in the format xerox@victimdomain.tld_20151007_160214.xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56. This Excel file contains a malicious macro [pastebin] which in THIS case downloads a binary from the following location:

alarmtechcentral.com/fw43t2d/98kj6.exe

There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56. The VirusTotal report indicates traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking traffic to and from that IP is recommended.

Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.

UPDATE
Here are the Hybrid Analysis reports for the XLS file and executable.

2 comments:

Unknown said...

Yes - I have just received this file addressed to canon@victim.com.
Thanks for spotting this as malware and posting your blog.

Sam Coleman said...

I just received “mx-4100n@redacted.tld_20151210_141946.xls” sent by “MX-4100N ”. The subject was “Scanned document from MX-4100N”. Sounds like they're diversifying printer models to make this harder to filter. Sketchy stuff. Thanks for the writeup.