Thursday, 19 March 2015

faxtastic! Fax from +4921154767199 Pages: 1

faxtastic! Fax from +4921154767199 Pages: 1 being spammed with an excel document.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::

From: "faxtastic!" {fax@faxtastic.co.uk}
Subject: Fax from +4921154767199 Pages: 1
Message Body:
You have received a new fax. To view it, please open the attachment.

Did you know we now send? Visit www.faxtastic.co.uk for more details.


Regards,

faxtastic Support Team
 Attachment:
2015031714240625332.xls
Sha256 Hashes:
98b1ae63a582fbb998959648c7fdee5be9ce7a4341c4bb474fe7b64997197784 [1]
0ecabe0a7fceb2dfdce96295d0ecceca0d8e0546c976a913f0e10c819af70fc0 [2]
c5b83418c7fbe3e3799decce6162525b1ca73eeb8854e5e599c4830bb54de9a4 [3]

Malware Macro document information:
VirusTotal Report [1] (Detection ratio 2 /57)
VirusTotal Report [2] (Detection ratio 2 /57)
VirusTotal Report [3] (Detection ratio 2 /57)

Malwr Report [1]
Malwr Report [2]
Malwr Report [3]

Hybrid Analysis Report [1]
Hybrid Analysis Report [2]
Hybrid Analysis Report [3]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

6 comments:

Anonymous said...

Just got one of these 8.40am 19-3-15 which my antenna prompted me to google the text of the message and up came your site with the info. Many thanks. No doubt will get many more over the next few days!

Anonymous said...

I just got this message at 8.15 on the 19/3/2015. Thanks for the ehads up.

Anonymous said...

got mine 20 mins before you, do i win?

Anonymous said...

Also got this at 8:33 19/3/15 Glad someone is up with beating these scammers

Anonymous said...

got one at 8.45 that's one a week from every one that u have mentioned on here. Any way to block them?

Anonymous said...

Thanks!