Sponsored by..

Thursday 4 August 2016

Malware spam: "Emailing: Sheet / Document / Invoice" with a .docm leads to Locky

This malware-laden spam comes with a variety of subjects, for example:

Emailing: Invoice (79).xls
Emailing: Sheet (189).doc
Emailing: Sheet (3352).tiff
Emailing: Document (79).doc
Emailing: Invoice (443).doc
Emailing: Sheet (679).xls
Emailing: Document (291).pdf


There is no body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component from one of the following locations:

abi64.com/h78r3gfe
bikepaintpureworks.web.fc2.com/h78r3gfe
brupuoli.tempsite.ws/h78r3gfe
composit.vtrbandaancha.net/h78r3gfe
film-online.bejbiblues.cba.pl/h78r3gfe
ftp.bergamo.chiesacattolica.it/h78r3gfe
innal.com.mx/h78r3gfe
karnat.cba.pl/h78r3gfe
mbc.nekonikoban.org/h78r3gfe
potato.chottu.net/h78r3gfe
schello4u.de/h78r3gfe
tyouseikan.web.fc2.com/h78r3gfe
www.agriturismolapiana.net/h78r3gfe
www.artistsagainstwar.it/h78r3gfe
www.bwmodels.com/h78r3gfe
www.comunedicanischio.it/h78r3gfe
www.ekstraciuchy.pl/h78r3gfe
www.kishazy.hu/h78r3gfe

(Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here.

5 comments:

Jay said...

Thanks, we've been getting this for a few days already.
Is there a list of IP's available of where the emails are originating from?
So far Barracuda RBL has been doing a decent job blocking it.

roly-poly said...

I got this as invoice(29).docm in my junk mail folder but it was smart enough (or being watched enough by an individual) to then send an allow sender request to my regular email.
Where do you think they picked up my address?

Unknown said...

Just received an email with the sender my own email address. Subject line--Emailing: Sheet (7019).doc. No body content and just an attachment. The IP address for the source is 85.105.148.241, which Google tells me is Istanbul, Turkey.

Unknown said...

I inadvertently opened this file on my droid phone..
What concerns should I have?

Unknown said...

Thank you for this information. I never trust these kind of emails and a confirmation on websites like yours are a great reassurence that I choose right ;-)