Despite the disclaimer, this is in no way free of viruses. Instead, it has a malicious attachment scan0001.xls which appears to come in at least three different versions with the following MD5s:
From "Mike " [mike@xencourier.co.uk]
Date Wed, 18 Nov 2015 14:46:28 +0200
Subject Receipt
Hi
Here is your credit card receipt attached. VAT invoice to follw in due
course.
Best regards
Mike
---
This email is free from viruses and malware because avast! Antivirus protection is
active.
http://www.avast.com
b8f5c889658cac07e810998aaa582d76
798c8a2a2d2fb658d4cea1fd60aff6b9
4592d152fcd1c3ea128b7b9e7224bf69
These contain a malicious macro that looks like this [pastebin] and the documents themselves have a VirusTotal detection rate of around 10/55 [1] [2] [3] and which according to these Hybrid Analysis reports [4] [5] [6] they attempt to download a malicious binary from the following locations:
www.eurocontainers.it/h64gf3/89j6cx.exe
www.asnp.it/h64gf3/89j6cx.exe
www.samsoncontrols.co.uk/h64gf3/89j6cx.exe [file not found]
This binary has a detection rate of 7/54 and that VirusTotal report and this Malwr report both indication malicious network traffic to:
203.172.180.195 (Ministry Of Education, Thailand)
That binary has the MD5 of:
6581b83c82ef4a2d940976a47550fb2c
The payload is likely to be the Dridex banking trojan.
No comments:
Post a Comment