Wednesday, 28 January 2015

Accounts Invoice 1385 Windsor Flowers

Accounts Invoice 1385 Windsor Flowers containing a word document with embedded macro.

Just a quick update to the earlier blog entry

Payload  (Thanks to Leigh Hall for the information):
Connects to: hxxp://
Creates file: %TEMP%\sdfsdferfwe.exe

Payload Md5 Hashes:
9b1df8529ce85a0d9ccd5378afb7cbaf   [1]

Payload Analysis:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

Malwr Report [1]

Hybrid-Analysis Report [1]

Connects to host located in:

France, Bulgaria, United Kingdom, Bulgaria, France, Romania, Korea Republic of



Dave said...

Macro in word doc contains the following code:

Dave said...

Further to my previous comment, another domain is

Unknown said...

Is that domain what the .doc tries to reach or what the dropped .exe tries to reach?