Thursday, 5 November 2015

Document from AL-KO Document from AL-KO.doc


Document from AL-KO Document from AL-KO.doc macro malware.


Subject: Document from AL-KO
From: {}

Message Body:

This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

Attachment filename(s):

Document from AL-KO.doc

Sha256 Hashes:

134f4cd2f17b312083bee6fb6d502dd0dd3b70f5716b8d17aae8acdcbad0e610 [1]
3d397e7ee0ba4da8d8a2fef6082db65544179374f11c0fbba70dc4637071cbbb [2]
a86c72fe62a0af737cfc89a99173c67aff2610d6c7216c05108b52071c9e297b [3]
c0909b2997428daab890ba4927fa22f69dd6c1071d5f28281f2332048e1b0da4 [4]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 0/55)
VirusTotal Report: [2] (detection 0/55)
VirusTotal Report: [3] (detection 0/55)
VirusTotal Report: [4] (detection 0/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)

It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Anonymous said...

Thanks Steve, a nice summary.
I received this e-mail today and didn't open it.
Now I have read your report I will delete it and block the address. TJ.

Col said...

I got this email today but did not open the attachment. Now deleted it.

Anonymous said...

I received the mail and stupidly I opened it
It looked like a mail I could expect from a same company name
I did open the word file
what do I have to do
I am running Malware bytes and F secure scanner

Captain M.K.Boersma said...

I did open it and now running malware bytes and F secure from tele2

What do I have to do more?>

Anonymous said...

from :
subject : STL Invoice.
body : See attachment
attachment : STL Invoice. M-747196.DOC

Anonymous said...

Same Email, thanks for the info