Sponsored by..

Thursday 3 December 2015

Malware spam: "Scanned image from MX-2600N"

This fake scanned image document appears to come from within the victim's own domain, but it is in fact just a simple forgery with a malicious attachment.

From:    no-reply@victimdomain.tld
Date:    3 December 2015 at 08:12
Subject:    Scanned image from MX-2600N

Reply to: no-reply@victimdomain.tld [no-reply@victimdomain.tld]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
Attached is a file named no-reply@victimdomain.tld_20151203_3248.doc which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55, and which contains this malicious macro [pastebin]. Automated analysis tools [1] [2] show that the macro downloads a component from the following location:


There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55 and this Malwr report shows that it communicates with a known bad IP of: (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP. The payload is most likely to be the Dridex banking trojan.


No comments: