Failed Fax Transmission to 01616133969@fax.tc

More junk sent to one of my customers today similar to the previous junk.

SHA256: 2d3de68d213a53c74e1f3180fd74bdc495c28d77924066aee27f26808ab10f66

This time they have got wise and have password protected the macro so I can’t tell the exact URL it is downloading from. Luckily the payload download site is broken. The macro document does seem to make changes to the Word settings so further loads of the document don’t require you to click “Enable macros”.

It tries to resolve www.przychodnialekarska.cba.pl and fails.

If it did work it would then try to download:
http://www.przychodnialekarska.cba.pl/js/bin.exe
URLQuery report here! from when it was working.
Which leads to the virustotal report for the file.

Looking at the macro file in a hex editor shows they have used exactly the same code obfuscation as the previous macro malware runs.

The malware was e-mailed from:
42.116.192.188 (No reverse dns)

inetnum: 42.116.192.0 – 42.116.207.255
netname: FPT-STATICIP-NET
country: vn
descr: FPT Telecom Company
descr: 2nd floor FPT Building, Pham Hung Road, Cau Giay District, Hanoi
admin-c: TTH19-AP
tech-c: NOC21-AP
status: ALLOCATED NON-PORTABLE
remarks: For spamming matters, mail to abuse@fpt.vn
changed: hm-changed@vnnic.net.vn 20120809
mnt-by: MAINT-VN-FPT
mnt-irt: IRT-VNNIC-AP
source: APNIC

222.64.113.217 (217.113.64.222.broad.xw.sh.dynamic.163data.com.cn)

inetnum: 222.64.112.0 – 222.64.115.255
netname: CHINANET-SH-BBAD-038
descr: Chinanet shanghai boardband adsl 038
country: CN
admin-c: WWQ4-AP
tech-c: WWQ4-AP
mnt-by: MAINT-CHINANET-SH
changed: ip-admin@mail.online.sh.cn 20050525
status: ASSIGNED NON-PORTABLE
source: APNIC

1.54.229.126 (No reverse dns)

inetnum: 1.54.224.0 – 1.54.239.255
netname: FPTDYNAMICIP-NET
country: vn
descr: FPT Telecom Company
descr: 2nd floor FPT Building, Pham Hung Road, Cau Giay District, Hanoi
admin-c: TTH19-AP
tech-c: NOC21-AP
status: ALLOCATED NON-PORTABLE
remarks: For spamming matters, mail to abuse@fpt.vn
changed: hm-changed@vnnic.net.vn 20120809
mnt-by: MAINT-VN-FPT
mnt-irt: IRT-VNNIC-AP
source: APNIC

Another blog suggests that the following URL is also involved, which currently also fails to resolve.

http://agro2000.cba.pl/js/bin.exe

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s