Sponsored by..

Showing posts with label New Zealand. Show all posts
Showing posts with label New Zealand. Show all posts

Wednesday 21 October 2015

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791


Please find attached an invoice that is now due for payment.



Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk


This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

An analysis of the documents shows an HTTP request to:


All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com
..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:


At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs: (Elvsoft SRL, Romania / Coreix Ltd, UK) (Web Drive Ltd, New Zealand) (Online SAS / Iliad Entreprises / Poney Telecom, France) (Trinity College Hartford, US)

The payload is probably the Shifu banking trojan.

Recommended blocklist:

Friday 20 June 2014

"2014_06rechnung_0724300002_sign.zip" spam

I don't have a sample of the German-language spam spreading this attack, but it is similar to this one and it entices the victim to download a ZIP file  from [donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip

Inside the ZIP file is a malicious executable 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just 1/54. The Malwr report shows that it downloads a further executable rqvupdate.exe [Malwr report] which phones home to (Server Central, US) and has a VT detection rate of just 2/52.

The Anubis report also shows connections to (Server Central, US), (OVH, France / QHoster Ltd, Bulgaria) and (Ransom IT Hosting, New Zealand)

Recommend blocklist: