Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”
With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.
SHA256 211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c
When the word document is opened and macros are enabled it downloads:
http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
SHA256 de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773
The site seems to be a hacked site running from Heart Internet hosting.
The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://74.208.11.204/ (rdns of “u15862612.onlinehome-server.com”)
Net Range 74.208.0.0 – 74.208.255.255
CIDR 74.208.0.0/16
Name 1AN1-NETWORK
Then injects its process into explorer.exe and connects to:
http://23.95.52.11/SH%2D/WyxpFK%2BE/nBa%24z%24& (rdns of “mail.expertmail106.co.uk”)
Organization
Name Cheap Windows VPS
and
http://78.140.164.160/Bn0jE5u&mFym/UemMvx=vls8t%26P%24FOZ/xeG+
inetnum: 78.140.164.0 – 78.140.164.255
netname: FOZZY
descr: Fozzy Inc.
among other urls.