T
his fake financial spam does not come from
Buildbase but is instead a simple forgery with a malicious attachment.
From: David Lawale [David.Lawale@buildbase.co.uk]
Date: 8 December 2015 at 10:58
Subject: Updated Statement - 2323191
Hi,
Please
find attached copy updated statement as your account has 3 overdue
incoices. Is there any reasons why they haven’t yet been
paid?
Kind Regards
David
David Lawale | Credit Controller | Buildbase
Harvey Road, Basildon, Essex, SS13 1QJ
www.buildbase.co.uk
Attached is a file
151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results
[1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.
UPDATE 1
Automated analysis is inconclusive
[1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.
UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe
This has a detection rate of
4/55. According to these reports
[1] [2] [3] and other sources, the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169