From: Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.
Date: 21 October 2015 at 10:15
Subject: INVOICE FOR PAYMENT - 7500005791
Hello
Please find attached an invoice that is now due for payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
Email: Lyn.Whitehead@lancashire.pnn.police.uk
********************************************************************************************
This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.
Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.
This e-mail has been scanned for the presence of computer viruses.
********************************************************************************************
The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.
Other analysis is pending please check back.
UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal. The Hybrid Analysis for both samples in inconclusive [1] [2].
UPDATE 2:
An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip.com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.
UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:
 |
| Source: Malwr.com |
The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.
UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:
www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe
At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49
