FYI...
Fake 'account documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trick...-form-malspam/
7 Dec 2017 - "... an email containing the subject of 'Your account documents' pretending to come from Companies House but actually coming from a look-a-like or typo-squatted domain <no-reply@ companieshouseform .co.uk> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ecure-form.png
SecureForm84.doc - Current Virus total detections 3/60*| Hybrid Analysis**... This malware docx file downloads from
http ://aperhu .com/ser0712.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ejjmdejh9.exe (VirusTotal 8/68[3])...
The alternative download location is
http ://altarek .com/ser0712.png... Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services...
companieshouseform .co.uk hosted on numerous servers and IP addresses and sending the emails via 185.207.204.218 | 185.23.215.76 | 89.39.106.208 | All of which are based in Netherlands...
Malware detail:
> https://myonlinesecurity.co.uk/wp-co...m_word_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/2...is/1512651253/
SecureForm6.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
146.255.36.1
143.95.252.46
Contacted Hosts
143.95.252.46
146.255.36.1
185.80.128.223
82.146.47.221
185.125.46.161
3] https://www.virustotal.com/en/file/b...is/1512647520/
fbwnk.exe
aperhu .com: 143.95.252.46: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/8a...01d0/analysis/
altarek .com: 64.50.184.217: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/c1...50bb/analysis/