Sponsored by..

Monday, 1 February 2016

Malware spam: Scanned image from copier@victimdomain.tld

This fake document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple forgery with a malicious attachment.

From:    copier@victimdomain.tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@victimdomain.tld

Reply to: copier@victimdomain.tld [copier@victimdomain.tld]
Device Name: COPIER
Device Model: MX-2310U

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:

dulichando.org/u56gf2d/k76j5hg.exe

This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:

185.24.92.236 (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.

2 comments:

Mrbyte said...

http://mrbyte.blogspot.it/2016/02/scanned-image-from-copiervodafoneit.html

Italian version....

VM said...

Thank you, I humbly post link to Czech version.

malware-copier-scanned-image

Thank you.

Regards,
Vaclav Malek