From: e-billing.uk1@dhl.com
Date: 9 October 2015 at 09:54
Subject: Your latest DHL invoice : MSE7396821
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY
Dear Customer,
Please find attached your invoice in DOC format, dated 09/09/2015 for shipments and services supplied by DHL Express.
If you would like to download your invoice in a different format, click here to go to the DHL e-Billing website. You can also view your account details and on line invoice history here.
In the event of a problem with opening the attachment, please contact the e-Billing support team on 020 8831 5363 for assistance.
If you would like to verify the digital signature on this invoice, click here to go to the DHL e-Billing website and go to the FAQ section for instructions.
For all invoice content related queries, please contact 08442 480 777.
We look forward to receiving your payment in due course, and within the agreed credit terms as stated on your invoice.
We would like to thank you for using the services of DHL Express.
With kind regards,
The DHL e-Billing team
PROTECT YOUR PASSWORD
In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
flexicall.co.uk/fsf4fd32/8ik6sc.exe
There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54. That VirusTotal report, this Malwr report and this Hybrid Analysis report show network traffic to:
86.105.33.102 (Data Net SRL, Romania)
I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan.
MD5s:
79b6080e3c2de566ee7c284a64f62a40
31f6d50a5757d5b5ba24a6f5dab01567
No comments:
Post a Comment