From: Frank.ClaraZO@pr-real.comAttached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56. Hybrid Analysis of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application.
Date: 25 May 2016 at 11:34
Subject: The invoices from INCHCAPE PLC
Hello,
Following the phone conversation with the accounting department represantatives I'm sending you the invoices.
Thank you for attention,
Kind regards
Clara Frank
INCHCAPE PLC
tel. (2045)/641493 54
> Sent from Iphone
This PIF file itself has a detection rate of 6/56 but automated analysis [1] [2] [3] is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware.
No comments:
Post a Comment