Sponsored by..

Showing posts with label Indonesia. Show all posts
Showing posts with label Indonesia. Show all posts

Monday 15 February 2016

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.


Brandi Riley


Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:


This is hosted on an IP that you can assume to be malicious: (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to: (Reg.Ru Hosting, Russia) (Cyberindo Aditama, Indonesia) (System Projects LLC, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:

Tuesday 1 December 2015

Malware spam: "Card Receipt" / "Tracey Smith" [tracey.smith@aquaid.co.uk]

This fake financial spam does not come from AquAid, but is instead a simple forgery with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.

From     "Tracey Smith" [tracey.smith@aquaid.co.uk]
Date     Tue, 01 Dec 2015 10:54:15 +0200
Subject     Card Receipt


Please find attached receipt of payment made to us today

Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge
product range. With products ranging from bottled and mains fed coolers ranging up
to coffee machines and bespoke individual one off units we truly have the
right solution for all environments. We offer a refreshing ethical approach
to drinks supply in that we support both Christian Aid and Pump Aid with a
donation from all sales.  All this is done while still offering a highly
focused local service and competitive pricing. A personalised sponsorship
certificate is available for all clients showing how you are helping and we
offer £25 for any referral that leads to business.

AquAid Franchising Ltd is a company registered in England and Wales with
registered number 3505477 and registered office at 51 Newnham Road,
Cambridge, CB3 9EY, UK. This message is intended only for use by the named
addressee and may contain privileged and/or confidential information. If you
are not the named addressee you should not disseminate, copy or take any
action in reliance on it. If you have received this message in error please
notify the sender and delete the message and any attachments accompanying it
immediately. Neither AquAid nor any of its Affiliates accepts liability for
any corruption, interception, amendment, tampering or viruses occurring to
this message in transit or for any message sent by its employees which is
not in compliance with AquAid corporate policy.
Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:


This binary has a detection rate of 3/54. The Malwr report for that file shows that it phones home to: (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)

There are other bad IPs in the - range, so I strongly recommend that you block all traffic to

These two Hybrid Analysis reports [1] [2] also show malicious traffic to the following IPs: (Interdominios S.A., Spain) (PT. Drupadi Prima, Indonesia) (Agava Ltd, Russia) (Post and Telecom Company, Vietnam) (VSHosting s.r.o., Czech Republic)

The payload here is probably the Dridex banking trojan.


Recommended blocklist:

Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.


I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:


This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to: (Cizgi Telekomunikasyon Anonim Sirketi, Turkey) (PT. Drupadi Prima, Indonesia) (Agava Ltd, Russia) (Elive Ltd, Ireland) (Mauritius Telecom, Mauritius) (Choopa LLC, Netherlands) (FPT Telecom Company, Vietnam) (Szkola Glowna Gospodarstwa Wiejskiego, Poland) (Memset Ltd, UK) (Etihad Atheeb Telecom Company, Saudi Arabia) (TE Data, Egypt) (Sibirskie Seti Novokuznetsk, Russia) (M2 Telecommunications Group Ltd, Australia) (Marosnet Telecommunication Company LLC, Russia) (NWT a.s., Czech Republic) (Wireless Business Solutions, South Africa) (Uzinfocom, Uzbekistan)


Recommended blocklist:

Friday 27 November 2015

Malware spam: "Invoice" / "Ivan Jarman [IJarman@sportsafeuk.com]"

This fake invoice does not come from Sportsafe UK Ltd but is instead a simple forgery with a malicious attachment.

From     Ivan Jarman [IJarman@sportsafeuk.com]
Date     Fri, 27 Nov 2015 17:21:27 +0530
Subject     Invoice

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside

Telephone 01206 795265
Fax 01206 795284 
I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].

This Malwr report shows the macro downloads from:


The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to: (Unified Layer, US) (Telekomunikasyon Anonim Sirketi, Turkey) (ZAO National Communications / Infobox.ru, Russia) (Memset, UK) (Etihad Atheeb Telecom Company, Saudi Arabia) (1&1, Germany) (Linknet, Indonesia) (Uzinfocom, Uzbekistan)

The payload is probably the Dridex banking trojan.


Recommended blocklist: