From: Buckminster U. Petty
Date: 2 March 2016 at 07:55
Subject: Outstanding Invoice
Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.
----------
From: Astra B. Fuller
Date: 2 March 2016 at 08:08
Subject: Fwd: ZYL Invoice
Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.
----------
From: Audrey U. Oneil
Date: 2 March 2016 at 07:34
Subject: Re: Sales Invoice
Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.
Attached is a randomly-named file with an RTF extension which is actually a DOCX file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:
thevillagelounge.nl/e.jpg?LnRiNLIoPC3=55
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=50
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=8
The VirusTotal results for the two unique binaries dropped are 3/55 [1] [2] but automated analysis [3] [4] is inconclusive. It looks rather like ransomware, but I cannot confirm this.
No comments:
Post a Comment