Sponsored by..

Friday, 15 January 2016

Malware spam FAIL: "Reservation Confirmation Number79501" / reservations@draytonmanorhotel.co.uk

This fake hotel reservation is meant to have a malicious attachment, but it is corrupt and you cannot download it.

From     [reservations@draytonmanorhotel.co.uk]
Date     Fri, 15 Jan 2016 16:21:55 +0530
Subject     Reservation Confirmation Number79501

We are pleased to confirm the attached booking at Drayton Manor Hotel.

Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.

Kind Regards

Harry Ashbolt
Reservations
The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).

A source tells me that when repaired, the documents attempt to download a malicious binary from:

hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe


The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.

3 comments:

Unknown said...

How do I stop these spam emails?

Nyebodnye said...
This comment has been removed by the author.
Nyebodnye said...

If your email platform can filter on attachment content, try quarantining emails containing these words:
AutoOpen
autoopen
Auto_OpenV
Document_Open
Workbook_Open
PlayMacroFromFile
wininet.dll
InternetOpen
ShellExecute
URLDownloadToFileA