Sponsored by..

Wednesday 13 January 2016

Malware spam: "Scanned Document" / "Color @ MRH Solicitors [color58@yahoo.co.uk]"

This fake scanned document has a malicious attachment:
From:    Color @ MRH Solicitors [color58@yahoo.co.uk]
Date:    13 January 2016 at 07:53
Subject:    Scanned Document

Find the attachment for the scanned Document
The attached file is named ScannedDocs122151.xls which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The Malwr reports for these documents [6] [7] [8] [9] [10] show the malicious macro contained within downloading a malware executable from:

armandosofsalem.com/l9k7hg4/b4387kfd.exe
trinity.ad-ventures.es/l9k7hg4/b4387kfd.exe
188.226.152.172/l9k7hg4/b4387kfd.exe


This dropped binary has a detection rate of 4/55. It is unclear what this does as in the Malwr report it throws an error. The payload is almost definitely the Dridex banking trojan, and even if this version is faulty then it is likely that the malware will be fixed shortly.

Dropped file MD5:
a8a42968a9bb21bd030416c32cd34635

Attachment MD5s:
bc207bf8ad4c2dae92af9d333ca21346
829036f46897feed35381741d5b3872e
0fcc9eb9af29b5525b30d53755a413d9
e61abe8ad3d7f8b6bcf010ea6b51c0e3
29fe81a081127fa55fbab0ae1accaf05


UPDATE

The Hybrid Analysis of the dropped binary shows attempted network traffic to the following domains:

exotelyxal.com
akexadyzyt.com
ekozylazal.com


These are hosted on an IP worth blocking:

158.255.6.128 (Mir Telematiki Ltd, Russia)

No comments: