From [info@alko.co.uk]Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:
Date Thu, 05 Nov 2015 16:33:40 +0530
Subject Document from AL-KO
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)
Document from AL-KO.doc
members.dodo.com.au/~mfranklin17/f75f9juu/009u98j9.exe
www.mazzoni-hardware.de/f75f9juu/009u98j9.exe
There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses [5] [6] show network traffic to:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123
1 comment:
Can add deklompjes.nl/~maurice/f75f9juu/009u98j9.exe as a 2nd stage download point
Post a Comment