Wednesday, 11 February 2015

Internal ONLY order_report.zip fake pdf malware

Internal ONLY order_report.zip fake pdf malware:

Headers: (example)
From: "Administrator" {Administrator@newburydata.co.uk}
Subject: Internal ONLY
Message body (example)

**********Important - Internal ONLY**********

File Validity: 11/02/2015
Company : http://domain.co.uk
File Format: Adobe Reader
Legal Copyright: Adobe Corporation.
Original Filename: Internal.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.


Attached to the email is a Zip file:
internal_31572.zip

On the Windows machine, Inside the zip, is Windows executable:
internal_31572.scr

Md5 Hashes:
5f3e8e6891e96477d4d9cba602e86966  [1]
Malware Information:

VirusTotal Report [1] (hits 5/57 Virus Scanners)

Malwr Report [1]

Summary:
  • Performs some HTTP requests
  • The binary likely contains encrypted or compressed data.
Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

1 comment:

Anonymous said...

What do you do if the warning comes too late and you have already clicked on the zip, realised your mistake and then trashed it?