Tuesday, 9 February 2016

Kyra Haley Dictum Corp.: invoice

Description:


Kyra Haley  Dictum Corp.: invoice malware.

Headers:

From: "Kyra Haley" {press@sanzpont.com}
Subject: Dictum Corp.: invoice

Message Body:

Please find attached the invoice

Thanks
Dictum Corp.
Kyra Haley

Attachment filename(s):


1W14I9390Y9.doc

Sha256 Hashes:


17fe083def58b7a99a223db58cc9f4ce3509af6ab16afa511877e09eef4e9876 [1]
05da6b5bf60f3d3b04542460e44954a8a55731b4b9308a2e2db9d6fef5d2624a
07c956ac49608763db224a7b30778e9a7b4adf7af1061d2418c07353adaa0675
0e2f114a0d3addfa76445ee955ae2871c537601af448eafdca1a1c84f713169c
110cc9e8bc936a9d9d15fe2e2f7caebdd297100e838a49f6b2383afdde839b7d
1203364bb4fc4247f4a810a8344cd6c42c2dde87c40b5dfdde893026bd7d8124
134899e7dff4fe1d0625dc82df73feeb78bc14353e6db54b28d68e51919a6bb1
257255630ba20ea510f4f665f1dcf723061527735ed66d86c31f1835765dd4cb
263eee192b98bf42e72da617de19b6a0a1ee7331bd944950370c7bee1b79fb0d
27d29356f57b29f06d7be83c7e23c9900aaf3c8cb333cc1aac664af7c3e6a602
292b1a0984bcb5265489c54efaeda06525ece845a2c8684b59d4d158ec537af1
3005ca10fe51340f182b6382ce656e860cf8ccbb059c5bfc856d821dfb2809c5
3ac1c6b3a53579dbe37cebb2802c6045f6f4abd8b18f21c7a3a1115f0285559f
3c4cea3748579adbc314b5ec3d8eb282c564ea00a4436a59488e009b9a557356
3e6cda6b3a3437a0d8e729665ca5795fc056bc316e3eeb1fe0187db66ff440ca
3e8401c3d7e171f3631e2925de2c06777716e9c338c37545bcbdae306046beb6
42e4e721ace37bfa1a20d75a883f53e34eecf092e625213903195e7a7c759d9f
48ec6cfa0c31f966b240a35f8369ab2f0d400ea23a651eac07d3d3cba63b06bc
4f2c053f50280ed98774faf1b8111182b4937349fb5a896ce0629e957a390693
5282e498ff67e5cf3255309262ceed810fee9db8cb16c056821ce95787319635
6006045b0344846d8629290b5160c11de3c8a688078f7c922cd5c24652eed0f7
6135ac6308369811d8ed2f92f06871154b2a4d7b7baef9bedcdf324356a5cfec
78fb2677fed1cbfa904a225a9f215e3dec6872277e04fd76d79bc5a0869a08f0
7d3d8dc692656057ca590dfdcdb2aea66d06afc5e554825a7bfdd4a70eb5d5a0
81020196ad67e320ecb59bedd58a6f4d74614a2c672b490cf049e13fba2da031
81034d0b7888fe3fd9055016548e4bac4fb6b0c9e8c57b477b12447568076682
817aae5424281536389e55f095c8c4e5433a034cba126d8b4705ad38633c03b2
8675cc689a2ebfa91af066222d44b107734eb2442c6b1be9cc6ea6c3903e5932
87c32711670315ad5f0a5fdf90e9fbeea811579e5da3f738e5d84cb52996df6f
8ae89923a5003dce6a3041bbeb5f97d5e4ef46acc75b7bfcd85260453b4c8a38
8ea2951468300c888a57ed7ba20de0cd321df33f9ea4644f6bbed4c87add0b1f
9795cad4d678c356aa085ea23d4c25571a5f451f1bde9be01d91221a20f4c851
99810c2f0ad322803c021a731dd5d4b7becec53614fb7471a22255601aa6c143
99d32b8dfe700879899800934fe9ee2ffc1de57b8c857dc4baa64d21ce4d81a7
9c5e24e43d73976da9760685c3adfcfd6ce76f40876ffcd47c62f926a10fbe04
a2073a284b324bd8431a19209df191b761135804e266ea3b165a873f47762f12
a36a64c85aafc851f55ffc073ec74d18e9b12633d7047f04f28a768898f8146a
a37511c3bdb0d1e735d829434b88515167c7ad9455458cab26001e03fc40146d
a4a23baa3c55b5f27b36723d91361f24ceadb9ff555aae1ad6fa3ad889ef2425
a5b4d50a828035590c3a84cddd468d841c500af797e74ff05137452d4a2f3b90
a7d6f6f5a8ed0dc94a75cb171b510071571bfc44b7dcda00592960cec5f4fe90
b2f01abb39ae5201377af4adc34be5f359b0dacf282fd10939e515953d80efb2
b377dc142881784c3237d49a185905730a8a3385440a5b92d88eb0f236e5bb4d
b5f2c9888d765117926febaa92b7ed8966c7b5befa00568881f9d33e651fb6b1
bd7729098082c671520cacce936da97538506cb335d2a72d167ccb282efaa147
c6f7a3689654d3bcf210d787ea146861fb46ca25173e51e8fa18a33516ce073f
c99de9f2394dd3bd9b4f004e4b7c4fbb8aced733b9ef3f708b6ad3ebc63a0d4f
cc711628d86f5f4b92742c1f0ec23722d431b6396c5d40f7225d99d591e28aa6
cd91e3053441bfb21b473e0e8431cf9a8bda0cb9e1fbb15ff5e70fa3634ffba8
cdf8e54e946f0fb4f507d80d6fba57dbea900372d66736503ea0310600429ab9
d145626ab3785b251db24572c13589a0ad86796d4e8d5c951ac263947c1a0d41
d49d86bfaf84ae4486cfcff1a66a7c2de5853f9b2dd01dcad9ab1784d8e9f7f6
db5a19df4540def28c2f7a9c7896ab18fce11698e75b87dba59b3404acb59c44
dd32ac74aa84bda10f09d66c7195532cfd6a09e97f5020a2579083ddf8d07365
dd33172fcb0d33dad96cd99fff1d101a5a193263e0669cdc439d1035f41329db
de0791d3375a511006ab9b3fee92b1bc4df5f739d169c21f47840a69b1314579
e1f281bbcdb6be3ec851e5f32968e4db42cdc265946ed5d7d68cb662390b729d
e2080686c5581dbf532b323e2b4d3d9b7a0e1abc92df6536f4e0cc6e30e1a139
ea02524fddfd3415eacd6d1a0d7097aff7bddb132fda3be43ac61ec5284a9aba
f0e46a777ffb42d2be8c9df7a66383c447d52879c98bdc157de2dd1e68e04100
f11e19f56267fd59e4e8ac4ccbe8bd28f47f4770cf80db3111e381eea5401270
f2186396e65db1a3984e2b5d39f31a640e3c9df8d2f784fdf30d62bfb71fe685
f3eb740b4ee9ee75a9bb3db075c06b86ee2445166e8edbd764cf1be360e923cb
f5390db63b3220956b017f76d846714946b75f6ad876545f0449a54c5f56f1ef
f56e8f8c7045b64b2135f808baf137a78f986e30edbfa65c1b0be00064bb0bd9
f6d476fdca2507a2068dc5b078aa2b6ca94f8e22f5d02cc6075fc42590f5c603
f9460ca81ec1d81175a4beb353db5fb89f6840c700b802838463f4419b3c27d9
fb2b961abf215490f676e080ecbed468e3cad64f9ea5c97542e64049ca141d60

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Doc.shellv3

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: