From [reservations@draytonmanorhotel.co.uk]The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).
Date Fri, 15 Jan 2016 16:21:55 +0530
Subject Reservation Confirmation Number79501
We are pleased to confirm the attached booking at Drayton Manor Hotel.
Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.
Kind Regards
Harry Ashbolt
Reservations
A source tells me that when repaired, the documents attempt to download a malicious binary from:
hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe
The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.
3 comments:
How do I stop these spam emails?
If your email platform can filter on attachment content, try quarantining emails containing these words:
AutoOpen
autoopen
Auto_OpenV
Document_Open
Workbook_Open
PlayMacroFromFile
wininet.dll
InternetOpen
ShellExecute
URLDownloadToFileA
Post a Comment