Sponsored by..

Wednesday 27 January 2016

Malware spam: "Enterprise Invoices No.91786" / Enterprise Security Distribution (South West) Limited

This fake financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple forgery with a malicious attachment.

From:    Vicki Harvey
Date:    27 January 2016 at 15:30
Subject:    Enterprise Invoices No.91786

Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE


Vicki Harvey
Accountant
Tel: 0117 977 5373

The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].

The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.

Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:

109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php

This binary has a zero detection rate at VirusTotal.  That VirusTotal report and this Malwr report indicate network traffic to:

8.254.218.46 (Level 3, US)

I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.

[UPDATE]

This additional Malwr report shows another IP worth blocking:

103.224.83.130 (#2 of Group 1, Lingshan, China)

No comments: