“CHRISTMAS OFFERS.docx” virus e-mail

Posted on December 23, 2014 by

Email today sent to one of my spam trap addresses from “Jayne <Jayne@route2fitness.co.uk>”

With word attachment “CHRISTMAS OFFERS.doc” containing macro downloader.

VirusTotal Report

SHA256 211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c

When the word document is opened and macros are enabled it downloads:

http://jasoncurtis.co.uk/js/bin.exe – VirusTotal Report / Malwr Report not yet processed.
SHA256 de25222783cdcbe20ca8d8d9a531f150387260e5297f672474141227eeff7773
The site seems to be a hacked site running from Heart Internet hosting.

The downloaded file (1V2MUY2XWYSFXQ.exe) then downloads something from
http://74.208.11.204/ (rdns of “u15862612.onlinehome-server.com”)

Net Range 74.208.0.0 – 74.208.255.255
CIDR 74.208.0.0/16
Name 1AN1-NETWORK

Then injects its process into explorer.exe and connects to:

http://23.95.52.11/SH%2D/WyxpFK%2BE/nBa%24z%24&amp; (rdns of “mail.expertmail106.co.uk”)

Organization
Name Cheap Windows VPS

and
http://78.140.164.160/Bn0jE5u&mFym/UemMvx=vls8t%26P%24FOZ/xeG+

inetnum: 78.140.164.0 – 78.140.164.255
netname: FOZZY
descr: Fozzy Inc.

among other urls.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s