From: FeDex-service
Date: 8 March 2016 at 11:40
Subject: Samson Floyd agent Fedex
Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.
Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you for choosing our service
Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:
www.fotoleonia.it/files/sample.exe
This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:
www.claudiocalaprice.com/modules/fedex/pad.exe
This has similar detections to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack.bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.
None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.
No comments:
Post a Comment