From: no-reply@victimdomain.tldAttached is a file named no-reply@victimdomain.tld_20151203_3248.doc which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55, and which contains this malicious macro [pastebin]. Automated analysis tools [1] [2] show that the macro downloads a component from the following location:
Date: 3 December 2015 at 08:12
Subject: Scanned image from MX-2600N
Reply to: no-reply@victimdomain.tld [no-reply@victimdomain.tld]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
vinsdelcomtat.com/u5y432/h54f3.exe
There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55 and this Malwr report shows that it communicates with a known bad IP of:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is most likely to be the Dridex banking trojan.
MD5s
23964bc22c2c81f9a41fb9f747a6c995
33a7583730e94d7877e1047272626455
No comments:
Post a Comment