Monday, 8 February 2016

Scanned file from Optivet Referrals .tiff.js javascript malware

Description:


Scanned file from Optivet Referrals .tiff.js javascript malware.

Headers:

From: Optivet Referrals
Subject: Scanned file from Optivet Referrals

Message Body:

Dear Sir/Madam

Please find attached a document from Optivet Referrals.

Yours faithfully

The Reception Team at Optivet.


Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system

Attachment filename(s):


596968702143.tiff.js

Sha256 Hashes:


2ccc322afcc0135500103ff96e4e96b35856855ca309c2883632bcdb4b70f532 [1]
cde1d1b9d1234ec89cdda6a59d32380421b00d2cbf951e2b43a6d24202b1763
113b61b6239cda4933e462164572a09f872ea70a0f5a789ed8a08aec0181004b
20c21cdc8b74c3f2e9f3643c1f98730d9327c26f1c66fb2206d35a5ac4f71740
22e4c0515e1ca1ec6f387b7aa76df92d1c0cd476217ef469a7b4af7a1686b50a
2441791a25cddb126f551736581cd8e54e4cdcf7bc743dfd3963081d9102f078
26239974381d815ff49649511b39fddddfdd5e891b0640cbf09ec272079fe351
2d14004f2cb69f7f0c6f17ef0bea8b890f26dfe2ce249091894fc148afd85759
41668765a8a494db5eed8b1704abbc3df35290c6bdf5cb60f086beede78c5b03
5509ac7f77e297dd96fdd0c00f38d8ed1e5ebccf1c9b87584ef88f5f0bc0cb2f
56730ed6ea8a4766a3a747e1cf3cab343a4f9b83fd14ed05956c90a9cd26f364
689a5011e9aaf95f6b5ae27407c3a56fe91bad81facc9a6ec16b014c8311b073
ac4bb9c83ddc71796bfb52010d19fccfee3322e83a8689c79a5c398cf6654ca6
b71f7f8f6cfb5718951ea7b7447fa0dc0c9caeb5bb7d9dd779ab80707981d876
c1fa36e007356c6f49855a74afa6d121409f5b012119eb1525a44ca55593841f
c38c6d7486bd2cc3a2f4387a63fa4c71c784aec54234946a3c2084580208b634
d1ee98273bc70d5b06196bce99dff7cb30283daf38a271eed860da2418d7abba
e0731d2f431d10778aea927109902742bec40e5c48ada281b7c204c37fcc7e72
ec3fc09556aa803305bd7dee344e74a1cbcb75deae221799c04cff1c4a926751

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25968.JsHeur

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: