From: Vicki Harvey
Date: 27 January 2016 at 15:30
Subject: Enterprise Invoices No.91786
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Vicki Harvey
Accountant
Tel: 0117 977 5373
The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].
The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.
Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:
109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php
This binary has a zero detection rate at VirusTotal. That VirusTotal report and this Malwr report indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.
[UPDATE]
This additional Malwr report shows another IP worth blocking:
103.224.83.130 (#2 of Group 1, Lingshan, China)
No comments:
Post a Comment