Sanesecurity ClamAV blog: zero hour malware, phishing and scams: Accounts Invoice 1385 Windsor Flowers

Wednesday, 28 January 2015

Accounts Invoice 1385 Windsor Flowers

Accounts Invoice 1385 Windsor Flowers containing a word document with embedded macro.

Just a quick update to the earlier blog entry

Payload (Thanks to Leigh Hall for the information):

Connects to: hxxp://vivercomrequinte.com.br/js/bin.exe
Creates file: %TEMP%\sdfsdferfwe.exe

Payload Md5 Hashes:

9b1df8529ce85a0d9ccd5378afb7cbaf [1]

Payload Analysis:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

Malwr Report [1]

Hybrid-Analysis Report [1]

Connects to host located in:

France, Bulgaria, United Kingdom, Bulgaria, France, Romania, Korea Republic of

Cheers,

Steve

Sanesecurity.com

3 comments:

Dave said...: Macro in word doc contains the following code: http://pastebin.com/vZn3RCHP; 28 January 2015 at 12:30
Dave said...: Further to my previous comment, another domain is

drevenak.cz; 28 January 2015 at 12:35
Unknown said...: Is that domain what the .doc tries to reach or what the dropped .exe tries to reach?; 28 January 2015 at 17:56

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Wednesday, 28 January 2015

Accounts Invoice 1385 Windsor Flowers

3 comments: