Sponsored by..

Monday 14 December 2015

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.
From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP



-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.

This message has been scanned for malware by Websense. www.websense.com
I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:


There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs: (Megawire, Canada) (Ho Chi Minh City Post And Telecom Company, Vietnam) (Gerrys Information Technology (PVT) Ltd, Pakistan) (Hetzner, Germany)

The payload is likely to be the Dridex banking trojan.


Recommended blocklist:

1 comment:

ShreckAus said...

Just received this email. Clicked the accompanied attachment but cancelled download before it started.