From: Administrator@badeleke [Administrator@victimdomain]Note the odd dates on the spam email. In all cases, the attachment is called EDCSRP earmarking (Update 08_21_2015).doc and at present it has a VirusTotal detection rate of 7/55. It contains a complex macro [pastebin] which (according to Hybrid Analysis) downloads additional components from:
To: badeleke@victimdomain
Date: 24 July 2014 at 10:30
Subject: Administrator - EDCSRP earmarking (Update 07_21_2015).doc
badeleke,
This attachment(EDCSRP earmarking (Update 07_21_2015).doc) provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
Thank you,
Administrator
http://www.victimdomain
----------------------
From: Incoming Fax [Incoming.Fax@victimdomain]
To: administrator@victimdomain
Date: 18 September 2014 at 08:35
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 07/21/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: Internal_report_07212015_5542093.doc
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
phudge.ca/wordpress/wp-content/themes/canvas/includes/.svn/props/78672738612836.txt
kedros.ch//modules/mod_araticlhess/78672738612836.txt
Automated analysis didn't work on this and frankly instead of reinventing the wheel I refer you to this note from @Techhelplistcom which reveals an executable being downloaded from:
umontreal-ca.com/ualberta/philips.exe
This domain was registered just yesterday to an anonymous person and is hosted on 89.144.10.200 (ISP4P, Germany) so we can assume that it is malicious. But here's an interesting detail.. if you look at the Word document itself it does actually claim to be from the University of Montreal (click to enlarge).
|
|
This whole thing is Upatre dropping the Dyre banking trojan, and it's quite clever stuff. Perhaps your best defence is a user education programme about not enabling active content on suspect emails..
Recommended minimum blocklist:
89.144.10.200
MD5s:
e945383e19955c420789bf5b3b415d00
015774e058bcb1828726848d2edd93f9