Sponsored by..

Wednesday, 11 November 2015

Malware spam: "Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584" / "accounts@equip4work.co.uk"

This fake invoice does not come from OfficeFurnitureOnline.co.uk but is instead a simple forgery with a malicious attachment.
From     accounts [accounts@equip4work.co.uk]
Date     Wed, 11 Nov 2015 14:54:33 +0400
Subject     Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584

Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.

This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.

Thank you for your order.
Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:

kdojinyhb.wz.cz/87yte55/6t45eyv.exe

In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:

95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)


The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz

MD5s:
37ceca4ac82d0ade9bac811217590ecd
01638daf6dfb757f9a27b3e8124b3324


4 comments:

Unknown said...

Hi,

We have this email with the same attachment, however, the download location for the exe is http:\\conesulmodelismo.com\br\87yte55\6t45eyv.exe

barcapat said...

Got this dodgy email today too.
Is there any suggested follow on for this type of dodgy email - eg where to report it?

Unknown said...

Got this email today also. Deleted straight away but good to see others have detected this.

Unknown said...

Here is the Hybrid Anlysis for conesulmodelismo.com.br
https://www.hybrid-analysis.com/sample/b2818610715f6e8e9a480b8fb731b1408be157a7f75ca36f0dd34efd28598822?environmentId=1
Overlapping IP from the callbacks: 89.32.145.12
Other recommended blocks:
221.132.35.56
89.108.71.148
200.169.17.48
conesulmodelismo.com.br