This fake financial spam is not from
Lancashire Police but is a simply forgery with what appears to be a malicious attachment.
From: Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date: 21 October 2015 at 10:15
Subject: INVOICE FOR PAYMENT - 7500005791
Hello
Please find attached an invoice that is now due for payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
Email: Lyn.Whitehead@lancashire.pnn.police.uk
********************************************************************************************
This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.
Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.
This e-mail has been scanned for the presence of computer viruses.
********************************************************************************************
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.
The VirusTotal report shows a detection rate of
zero. The
Malwr report is inconclusive.
Other analysis is pending please check back.
UPDATE 1:
Another version of this is in circulation, also with
zero detections at VirusTotal. The Hybrid Analysis for both samples in inconclusive
[1] [2].
UPDATE 2:
An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip.com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.
UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (
thanks). If you opened it and got a screen like this:
..then you are not infected. Incidentally, this only infects Windows PCs anyway.
The "fixed" malicious documents have a detection rate of about 6/56
[1] [2] [3] - analysis of
these documents is pending, although I can tell you that they create a malicious file in
%TEMP%\HichAz2.exe.
UPDATE 4:
The Hybrid Analysis reports for the documents can be found here
[1] [2] [3] show that the macros [
example] in the document download a binary from the following locations:
www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe
At present this has a
zero detection rate at VirusTotal (MD5
7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this
Malwr report indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49
