From: jpaoscanner@victimdomain.tldThere is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner
Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.
Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.
UPDATE 1
Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:
www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)
I strongly recommend that you block traffic to that IP.
UPDATE 2
These two Malwr reports [1] [2] reveal some additional download locations:
www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe
1 comment:
I have received this message, with a doc suffix without the f. I have tried and failed to delete it, or to move it to my deleted folder.
Post a Comment