FYI...
Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/lates...macro-malware/
7 Apr 2016 - "A -series- of emails with the basic subject of 'invoice' pretending to come from random names with a malicious word doc attachment is another one from the current bot runs... Some of the subjects seen include:
Uta Mclaughlin: Latest Invoice
Meghan Mckay, Sales Invoice
Fwd:Camille Glover. Purchase Invoice
The email looks like:
From: Uta Mclaughlin <nickbockholdt@ gmx .de> / Meghan Mckay <ramykhalifa@ emerge-studio .com> /
Camille Glover <david@ deliciousworldcorp .com>
Date: Thu 07/04/2016 04:51
Subject: Uta Mclaughlin: Latest Invoice
Attachment: 4872113603.doc
Please review the document enclosed with this message.
Kind regards
Meghan Mckay
7 April 2016: 4872113603.doc - Current Virus total detections 3/57*
.. Payload Security** shows a download from creditprimo .com/h1.jpg?BbZJpyfbopM=12
which gives this image (VirusTotal 2/57***). The macro extracts the malware from the image to give
12120.exe (VirusTotal 2/57[4]). MALWR[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1460006738/
** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
138.128.125.153
*** https://www.virustotal.com/en/file/9...is/1460008049/
4] https://www.virustotal.com/en/file/5...is/1460007688/
5] https://malwr.com/analysis/ODljMmY2N...hjNWFhMDk3Mzc/
___
Fake 'Your Latest Documents' SPAM - doc macro malware leads to Locky Ransomware
- https://myonlinesecurity.co.uk/your-...ky-ransomware/
7 Apr 2016 - "An email with the subject of 'Your Latest Documents' from Angel Springs Ltd [STA054C] pretending to come from ebilling@ angelsprings .com with a malicious word doc attachment is another one from the current bot runs...
Screenshot: https://myonlinesecurity.co.uk/wp-co...C-848x1024.png
7 April 2016: G-A0288010040780590521.pdf / G-A0288010040780590521.docm - Current Virus total detections 9/56*
.. MALWR** shows a download from http ://360webhosts .com/0uh634 (VirusTotal 13/56***) which is the -same- malware as described HERE[4] which is actually a downloader that downloads from 185.103.252.148/files/o35jkR.exe which is Locky Ransomware (VirusTotal 2/56[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1460028627/
** https://malwr.com/analysis/YmNjNDgwZ...IzNGQ0NzYyZGQ/
Hosts
202.87.31.185: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/1a...c663/analysis/
109.235.139.64
*** https://www.virustotal.com/en/file/f...is/1460027909/
TCP connections
109.235.139.64
4] https://myonlinesecurity.co.uk/dossi...macro-malware/
5] https://www.virustotal.com/en/file/f...is/1460026504/
185.103.252.148: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/3f...971a/analysis/