Sponsored by..

Wednesday 17 February 2016

Malware spam: Fwd:Accumsan Neque LLC Updated Invoice / Please turn on the Edit mode and Macroses!

This malware spam may come from several different companies, but I have only a single sample. It is notable for the mis-spelling of "Macros" as "Macroses" in the document.

From:    Fletcher Oliver [angel@jiahuan.com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice

Good morning

Please check the bill in attachment. In order to avoid fine  you have to pay in 12 hours.

Best regards

Fletcher Oliver
Accumsan Neque LLC

Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!

Needless to say, enabling Edit mode and Macroses is a Very Bad Idea. The VirusTotal detection rate for this file is just 2/54. Hybrid Analysis [1] [2] shows that the macro first downloads from:

www.design-i-do.com/mgs.jpg?OOUxs4smZLQtUBK=54

This looks to be an unremarkable JPEG file..

(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.

Automated analysis of the dropped binary [1] [2] shows that it phones home to:

216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)

I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.

No comments: