Monday, 9 March 2015

Serv-Ware Credit Application.pdf

Serv-Ware Credit Application.pdf attachment being spammed containing a zip file

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header:

From: {clint@servware.com}
Subject: Emailing: Serv-Ware Credit Application.pdf.
Message Body:

--
Thanks,
Clint Winstead
Manager
Serv-Ware Products
clint@servware.com
phone: 800.768.5953
fax    : 800.976.1299
www.servware.com
 Attachment:
Serv-WareCreditApplication.zip

Inside the Zip is a Windows Executable:
Serv-WareCreditApplication.exe


Sha256 Hashes:
d48507819dd4a42b1f751cc0f60884513389f1be25b34f642e0276cdabbbece9  [1]

Malware Macro document information:
VirusTotal Report [1] (hits 8/57 Virus Scanners)

Summary:

Modifies/Creates these files locally:

 C:\DOCUME~1\~1\LOCALS~1\Temp\utilview.exe (successful)
c:\autoexec.bat (successful)
viagra.pdf (successful)


Malwr Report [1]

Summary:
  • File has been identified by at least one AntiVirus on VirusTotal as malicious
  • Performs some HTTP requests
  • Looks up the external IP address
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

Hybrid Analysis Report [1] [Detailed Report]
Cheers,
Steve

No comments: