FYI...
Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bank-p...k-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-con...4-1024x423.png
The email (which has random amounts) looks like:
Dear client
Please find attached a bank payment for £3033.10 dated 10th June 2015
to pay invoice 1757. With thanks.
Kind regards
Sarah
Accounts
Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/samp...nvironmentId=2
** https://www.virustotal.com/en-gb/fil...is/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustotal.com/en-gb/ip-...6/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-...0/information/
*** https://www.virustotal.com/en-gb/fil...is/1433751824/
hundeschulegoerg .de: 212.40.179.111: https://www.virustotal.com/en-gb/ip-...1/information/
- http://blog.dynamoo.com/2015/06/malw...k-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40 "