Sanesecurity ClamAV blog: zero hour malware, phishing and scams: Employee Documents

Wednesday, 21 January 2015

Employee Documents - Internal Use

Employee Documents - Internal Use

Headers:

Date: Wed, 21 Jan 2015 12:39:24 +0000
From: "invoice" {no-replay@invoice.com}
Subject: Employee Documents - Internal Use

Message body:

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://www.avralab.com/CUSTOMER-DOCUMENT.STORAGE~DATA/last-document.html

Documents are encrypted in transit and store in a secure repository

Links to website....

http://www.avralab.com/CUSTOMER-DOCUMENT.STORAGE~DATA/last-document.html

There seems to be a lot of urls they are spamming out... here's a sample...

Pastebin Report: List of urls [1] * DO NOT CLICK ON THEM *

Once you arrive at the site an auto-download of a zip file takes place:

invoice_pdf96968.zip

Inside the Zip file is a windows executable:

invoice_pdf15166.exe

MD5 Hashes:

3604454f3eb4794c1eb7d8d317f67220 [1]

Malware Information:

VirusTotal Report [1] (hits 3/57 Virus Scanners)

Malwr Report [1]

.Hybrid Analysis Report [1]

Summary:

Accesses potentially sensitive information from local browsers

Cheers,

Steve
Sanesecurity.com

3 comments:

Anonymous said...: What does this virus actually do???; 21 January 2015 at 15:40
Steve Basford said...: Accesses potentially sensitive information from local browsers, also downloads/contacts other servers around the world to download other malware :(; 21 January 2015 at 15:49
Anonymous said...: Thank for this blog! Awesome.; 21 January 2015 at 17:10

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Wednesday, 21 January 2015

Employee Documents - Internal Use

3 comments: