Sponsored by..

Wednesday 24 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
From:    admin [southlands71@victimdomain.tld]
Date:    24 February 2016 at 15:25
Subject:    Scanned image

Image data in PDF format has been attached to this email.
I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:


My sources say that other versions download from:


As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.

Those reports show the malware phoning home to: (ITL, Ukraine)

I strongly recommend that you block traffic to that IP.


Anonymous said...

Me too.
Received at 0.11 GMT, location Denmark.
Sender: southlands471.@
Opened on a MAC.
Content: JavaScript + more?
Not executed - no harm found.

Unknown said...

VDS is disabled 2016-02-25 by ITL' support.

Unknown said...

Just got this myself IN florida, from a lands60@earthlink.net. Opened on a PC. No damage apparent.