Sponsored by..

Tuesday 8 March 2016

Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"

This fake FedEx spam has a malicious attachment:

From:    FeDex-service
Date:    8 March 2016 at 11:40
Subject:    Samson Floyd agent Fedex

Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.

Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent

Thank you for choosing our service

Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:

www.fotoleonia.it/files/sample.exe

This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:

www.claudiocalaprice.com/modules/fedex/pad.exe

This has similar detections to the first binary.  That Malwr report also indicates the binary POSTing data to:

pdf.repack.bike/new_and/state.php

This is hosted on:

151.80.76.200 (Kitdos, US / OVH, France)

I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.

None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.


No comments: