Wednesday, 21 January 2015

Employee Documents - Internal Use

Employee Documents - Internal Use

Headers:
Date: Wed, 21 Jan 2015 12:39:24 +0000
From: "invoice" {no-replay@invoice.com}
Subject: Employee Documents - Internal Use
Message body:
DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://www.avralab.com/CUSTOMER-DOCUMENT.STORAGE~DATA/last-document.html

Documents are encrypted in transit and store in a secure repository

Links to website....
http://www.avralab.com/CUSTOMER-DOCUMENT.STORAGE~DATA/last-document.html
There seems to be a lot of urls they are spamming out... here's a sample...
Pastebin Report: List of urls [1] * DO NOT CLICK ON THEM *


Once you arrive at the site an auto-download of a zip file takes place:

invoice_pdf96968.zip
Inside the Zip file is a windows executable:

invoice_pdf15166.exe
MD5 Hashes:
3604454f3eb4794c1eb7d8d317f67220[1]
Malware Information:
VirusTotal Report [1] (hits 3/57 Virus Scanners)

Malwr Report [1]

.Hybrid Analysis Report  [1]

Summary:

Accesses potentially sensitive information from local browsers



Cheers,

Steve
Sanesecurity.com

3 comments:

Anonymous said...

What does this virus actually do???

Steve Basford said...

Accesses potentially sensitive information from local browsers, also downloads/contacts other servers around the world to download other malware :(

Anonymous said...

Thank for this blog! Awesome.