“Remittance Advice for 273.88 GBP” junk email with excel attachment containing macro.

Posted on December 5, 2014 by thecomputerperson

E-mail with attachment “BAC_641952Z.xls” – VirusTotal Report
SHA256: 66ed083beb750b7c2d65210607f52ff2136dbdb9b9b89dfe88fdbef3c9cf826e

Gwen Henson <Israel.ef@de.colt.net>
Fri 05/12/2014 07:32

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Gwen Henson
Senior Accounts Payable Specialist
K J Watking & Co

The macro is password protected but when run it contacts:

http://193.136.19.160:8080/stat/lld.php

inetnum: 193.136.16.0 – 193.136.19.255
netname: PTUMGUA-1
descr: Universidade do Minho
descr: Centro de Informatica
descr: Campus de Gualtar
descr: Braga
country: PT

Downloads a file which, in my case, downloaded and ran from “C:\Users\<username>\AppData\Local\Temp\EWSUVRXTBUU.exe” – VirusTotal Report / Malwr Report
SHA256 a4583318c3328204f56810ca3b22f5e4c0a74b173b1a12c5f9e35c70982a1138

Which ran silently for about a minute and then contacted:

http://194.146.136.1/ with some POST data, downloaded 474kb of stuff and quit and started making requests using explorer.exe instead.

   2   False    + 0.000            True   0.094 s      GET     403     2.29 K    text/html  http://5.135.28.112/2GsF%20r/ZM2~%243u%3D%26/2%3FvgvPSym%20/%3F                                                    
   3   False    + 0.093            True   0.548 s      POST    200     4.45 K    text/html  http://5.135.28.112/fpjjisyo0vhc%3Fu/bqtc+sjv%2Bisc%2C_/in%26c%3Fmsg&k+%24g0%3Fsh/%2Bcmub0vouhugim                 
   4   False    + 0.640            True   0.626 s      POST    200     37.51 K   text/html  http://5.135.28.112/ml9SyGFY7qH6_WGo/26cQn53O%3DK27P%3Fb4%260@7/G9tX9O/yVZjPK8f_                                   
   5   False    + 1.281            True   0.313 s      POST    200     3.99 K    text/html  http://5.135.28.112/3XTWs%2BS%3F@Jo_47/Jpf3T%7EiSHznExLB=tx%3FQLA0qc/9lQEm%3F                                      
   6   False    + 3.796            True   0.564 s      POST    200     2.75 K    text/html  http://5.135.28.112/HNttIS2iQ%3DHUPQ/jMHJL3hLhf~0%3DmJWW5swSv6r%3Fw/W0ksOj5kAowO%2CfSshm@4%3D2s2~%7E               
   7   False    + 4.359            True   0.626 s      POST    200     140.72 K  text/html  http://5.135.28.112/pw%26qGc%7ESl@J/ji+kJs/irw%2BenFr%7EwFO%20X%3F/F                                               
   8   False    + 5.000            True   0.547 s      POST    200     2.75 K    text/html  http://5.135.28.112/kyyqk5ry9g@bc5hm&2jfa/v6sj0bx&xl%20%2623y%205%2Cr==70.7/g44@h%24+8s3%3F%7E@z5%2B               
   9   False    + 5.546            True   0.455 s      POST    200     46.80 K   text/html  http://5.135.28.112/lTG5Op8%2CgX5WJnZ/ZwocrBR38u/%20~Wr4S=+                                                        
   10  False    + 6.000            True   0.547 s      POST    200     2.75 K    text/html  http://5.135.28.112/XzZLrn9E/3nzff7nMtWYU/Xevl%7E0%26EjM%2DVxzs$j/52sLS5c~uAGM3koOsw                               
   11  False    + 6.546            True   0.345 s      POST    200     3.99 K    text/html  http://5.135.28.112/p=k.lNm/qWy7h/E%7Es&EmWtSq4CokKa

inetnum: 5.135.28.112 – 5.135.28.119
netname: SIMPACE_CZ_01
country: CZ
descr: SIMPACE_CZ

.

Advertisement
This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to “Remittance Advice for 273.88 GBP” junk email with excel attachment containing macro.

  1. Pingback: “Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]” and “Remittance Advice for 374.86 GBP” Virus spam. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s