Sponsored by..

Monday, 14 December 2015

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.
From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP

Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com
I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:

test1.darmo.biz/437g8/43s5d6f7g.exe

There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:

199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)


The payload is likely to be the Dridex banking trojan.

MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc


Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169



1 comment:

ShreckAus said...

Just received this email. Clicked the accompanied attachment but cancelled download before it started.