Sponsored by..

Friday 6 November 2015

Malware spam: "Invoice #00004232; From Timber Solutions" / "Kes [kerryadamson@bigpond.com]"

This fake invoice does not come from Timber Solutions but is instead a simple forgery with a malicious attachment:
From:    Kes [kerryadamson@bigpond.com]
Date:    6 November 2015 at 11:07
Subject:    Invoice #00004232; From Timber Solutions

Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow.  Please pay into the
account, details of which are at the foot of the invoice.  Kes
Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54 and contains this malicious macro [pastebin], which (according to this Hybrid Analysis report) downloads a binary from:


..this is saved as %TEMP%\tghtop.exe and has a detection rate of... errr.. zero. Automated analysis of this binary [1] [2] shows network traffic to: (Agava Ltd, Russia)

I strongly recommend that you block traffic that that IP. The payload is most likely to be the Dridex banking trojan.


1 comment:

Melanie said...

Thanks so much for posting this! I was suspicious but if I hadn't seen this and another blogger's posts, I might have opened the thing.