From: Gareth Evans [gareth@cardiffgalvanizers.co.uk]I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:
Date: 14 December 2015 at 10:43
Subject: FW: Scan from a Samsung MFP
Regards
Gareth
-----Original Message-----
Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.
This message has been scanned for malware by Websense. www.websense.com
test1.darmo.biz/437g8/43s5d6f7g.exe
There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:
199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is likely to be the Dridex banking trojan.
MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc
Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
1 comment:
Just received this email. Clicked the accompanied attachment but cancelled download before it started.
Post a Comment