“CHRISTMAS OFFERS.docx” virus e-mail

Posted on December 23, 2014 by thecomputerperson

Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”

With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.

VirusTotal Report

SHA256 211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c

When the word document is opened and macros are enabled it downloads:

http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
SHA256 de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773
The site seems to be a hacked site running from Heart Internet hosting.

The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://74.208.11.204/ (rdns of “u15862612.onlinehome-server.com”)

Net Range 74.208.0.0 – 74.208.255.255
CIDR 74.208.0.0/16
Name 1AN1-NETWORK

Then injects its process into explorer.exe and connects to:

http://23.95.52.11/SH%2D/WyxpFK%2BE/nBa%24z%24&amp; (rdns of “mail.expertmail106.co.uk”)

Organization
Name Cheap Windows VPS

and
http://78.140.164.160/Bn0jE5u&mFym/UemMvx=vls8t%26P%24FOZ/xeG+

inetnum: 78.140.164.0 – 78.140.164.255
netname: FOZZY
descr: Fozzy Inc.

among other urls.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s