From: Kes [kerryadamson@bigpond.com]Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54 and contains this malicious macro [pastebin], which (according to this Hybrid Analysis report) downloads a binary from:
Date: 6 November 2015 at 11:07
Subject: Invoice #00004232; From Timber Solutions
Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes
advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe
..this is saved as %TEMP%\tghtop.exe and has a detection rate of... errr.. zero. Automated analysis of this binary [1] [2] shows network traffic to:
89.108.71.148 (Agava Ltd, Russia)
I strongly recommend that you block traffic that that IP. The payload is most likely to be the Dridex banking trojan.
MD5s:
39fe24d2055f88cff39e27abd7dc5132
6c21a09c80e076ec5b60b7415135ae7a
1 comment:
Thanks so much for posting this! I was suspicious but if I hadn't seen this and another blogger's posts, I might have opened the thing.
Post a Comment