Thursday, 11 February 2016

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to: (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.


  1. I opened it with my mobile. It was a mistake, but apparently the file was sent from my husband. All false. And now? What do I have to do to protect my phone? I often use the phone to buy flights or train tickets. Is this virus dangerous for me (my phone)?
    How can I stop it?
    Thanks in advance dears.

  2. Thanks, Nice clear description and very timely.
