From: Israel Burke [BurkeIsrael850@business.telecomitalia.it]I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.
Date: 14 December 2015 at 15:00
Subject: Israel Burke
Dear Customer:
Attached please find an invoice(s) for payment. Please let us know if you have any questions.
We greatly appreciate your business!
Israel Burke
BCP Transportation, Inc.
Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:
109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.
I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.
MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a
Recommended blocklist:
109.234.34.224
80.96.150.201
5 comments:
JUST RECEIVED ONE HERE TOO - FROM SOMEONE NAMED LINDSAY
Received 2 here: Corrine Fowler & Marci Kemp.
Deleted!
Got one here also with a different address. They are randomly assigning different email addresses. The address I got it from did not match the company of the invoice, so that is a giveaway.
got one also. from Sophia Chambers, invoice_scan_26475772.doc
Well... I checked this out too late... what happens if I DID open the file? I am currently running a scan using AVG...I'm sure I opened on my Iphone as well... Am I in deep trouble??? Please help!
Post a Comment