From no-reply@123-reg.co.ukThe invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).
Date Wed, 19 Apr 2017 17:19:51 +0500
Subject Copy of your 123-reg invoice ( 123-093702027 )
Hi [redacted],
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
https://www.123-reg.co.uk
This PDF file appears to drop an Office document according to VirusTotal results.
Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):
216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)
The general prognosis seems to be that this is dropping the Dridex banking trojan.
Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119
No comments:
Post a Comment