Sponsored by..

Tuesday, 31 May 2016

Malware spam: "New Company Order" / "ABC Import & Export,LLC"

This fake financial spam leads to malware:

From:    accounting@abcimportexport.com
Reply-To:    userworldz@yahoo.com
To:    Recipients [accounting@abcimportexport.com]
Date:    31 May 2016 at 12:31
Subject:    New Company Order

Good Day,

Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.
CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK HERE TO DOWNLOAD SECURE PURCHASE ORDER 
https://gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip
Attention! This document was created with a newer version of Microsoft Word.. Please click Enable Content or Macro to view the content of our order
Best Regards,
Ameen La Binish
Purchasing Dept

ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA
Toll Free : 1-800-666-5874
Office Main Line : 1-214-966-2627
Office Reception : 1-214-985-1696
Fax : 1-972-243-7275
Email: Sales@abcimportexports.co
Website: http://abcimportexport.com
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
The link in the email message goes to gallery.mailchimp.com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56. That VirusTotal report and these other analyses [1] [2] [3] shows network traffic to:

185.5.175.211 (Voxility SRL, Romania)

This executable drops another similar EXE [4] [5] [6] [7] which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24

sdfsdaf
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)