Sponsored by..

Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.


I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:


This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to: (Cizgi Telekomunikasyon Anonim Sirketi, Turkey) (PT. Drupadi Prima, Indonesia) (Agava Ltd, Russia) (Elive Ltd, Ireland) (Mauritius Telecom, Mauritius) (Choopa LLC, Netherlands) (FPT Telecom Company, Vietnam) (Szkola Glowna Gospodarstwa Wiejskiego, Poland) (Memset Ltd, UK) (Etihad Atheeb Telecom Company, Saudi Arabia) (TE Data, Egypt) (Sibirskie Seti Novokuznetsk, Russia) (M2 Telecommunications Group Ltd, Australia) (Marosnet Telecommunication Company LLC, Russia) (NWT a.s., Czech Republic) (Wireless Business Solutions, South Africa) (Uzinfocom, Uzbekistan)


Recommended blocklist:

No comments: