From: Laurena Washabaugh [washabaugh.1946@rambler.ru]
Date: 29 January 2016 at 10:10
Subject: Quick Question
Signed by: rambler.ru
What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
Best regards,
--
Laurena Washabaugh
The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)
2 comments:
Analysis via a colleague
http://myonlinesecurity.co.uk/quick-question-resume-word-doc-or-excel-xls-spreadsheet-malware/
What can you do if you have opened the file...
Post a Comment