From: customer.service@axminster.co.ukAttached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8] shows download locations at:
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm
Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk
Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)
Kind regards
Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH
http://www.axminster.co.uk
* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
skandastech.com/76f45e5drfg7.exe
ekakkshar.com/76f45e5drfg7.exe
This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
UPDATE
Some additional download locations from another source (thank you!)
webvogel.com/76f45e5drfg7.exe
timelessmemoriespro.com/76f45e5drfg7.exe
thecommercialalliance.com/76f45e5drfg7.exe
littlewitnesses.com/language/76f45e5drfg7.exe
rayswanderlusttravel.com//76f45e5drfg7.exe
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41
5 comments:
What does all that actually mean? I stupidly clicked the link as I'd literally just got off the phone to a company l've made an online purchase with as it had been 2 days since I placed and paid for the order and I hadn't received a confirmation email. The lady on the phone said they hadn't linked my email to my account so that's why I didn't receive confirmation but she said my order was already dispatched and she would resend the invoice for my record. I got the email detailed in this post as soon as I hung up the phone so I assumed it was from them, although I didn't recognise the company name the lady told my they use several different companies as distributors. Got the email I was expecting about 30 mins after but I'd already clicked on the link in the dodgy email. That's using an iPhone, is there any risk and how would I know if it's been affected...?
@Neil, this drops Windows malware so your iPhone will be OK. The scenario you describe is exactly the sort of confusion that the bad guys are trying to exploit..they are pretty good at manipulating people!
One more location for your list - fiddler showed it was trying to go here for my case - macxinterior.com/76f45e5drfg7.exe
Post a Comment