Sanesecurity ClamAV blog: zero hour malware, phishing and scams: INCOMING FAX REPORT malware

Wednesday, 14 January 2015

INCOMING FAX REPORT malware

INCOMING FAX REPORT malware in the form of a html email, with an attached ZIP file.

Headers:

Date: Wed, 14 Jan 2015 09:42:22 +0800
From: "Incoming Fax" {no-reply@}
Subject: INCOMING FAX REPORT : Remote ID: 495-768-4745

Message body:

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Wed, 14 Jan 2015 09:42:22 +0800
Speed: 4801bps
Connection time: 02:06
Pages: 0
Resolution: Normal
Remote ID: 486-214-1247
Line number: 1
DTMF/DID:
Description: Internal Docs

Fax message attached in PDF format (Adobe Photoshop).

Attached to the email is a ZIP file:

FaxMessage69831_82741-84712.pdf.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)

FaxMessage69831_82741-84712.pdf.scr

Md5 Hashes:

d54494741cfc549942c5e79a1213f200

Malware Information:

VirusTotal Report [1]
(hits 26/57 Virus Scanners)

Malwr Report [1]

Summary:

Performs some HTTP requests

Steals private information from local Internet browsers

Creates an Alternate Data Stream (ADS)

Installs itself for autorun at Windows startup

Cheers,

Steve
Sanesecurity.com

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Wednesday, 14 January 2015

INCOMING FAX REPORT malware

No comments: