*.docm Spam run “copy” “As requested”

Today a customer asked me about a suspicious e-mail…

Not much to identify this one as the e-mail is short and looks very genuine.

It looked very much like this:

From: belinda.taylor@bssgroup.com
Sent: Monday, July 27, 2015 9:32 AM
Subject: copy
Attachment: 13409079779.docm

As requested

There isn’t much to give away that this is potentially wrong. The slight giveaway is a .docm format rather than a .docx format (a macro document rather than a normal document). However people make mistakes and the sender may have accidentally saved the file in the wrong format.

The attachment was:
SHA256 fdf8b9d41404ba4121abf1fab7793cce1edf85f35abc4fa787040f87ccebfdc2
VirusTotal Report

When run the macro fetches

SHA256 4780f07a4646c83fb376864898194887930c48b2328ce73e5b3a133ecd7bd1e0
VirusTotal Report / Malwr Report

Which then also sends and requests data from
This links the file to the other spam run today:

A couple of interesting things come out of the above https communication. Firstly the certificate for the https connection was generated on the 8th July, so the C2C server has been setup “quite some time” in the scheme of these kinds of spams.
Also the attributes in the certificate may help track down similar C2C servers:

CN = coreryfacorm.gg
OU = gay team
O = protectthegays
L = Quebeck
S = Monreal
C = CA

The dead giveaway from a sysadmin point of view was the originating server wasn’t legitimate and the sender address had delivered messages to multiple destination addresses at the domain!
Which indeed does reveal other IPs who have used similar certificates: on port 1443 on port 743 (now showing a different certificate see [1] below) on port 443 on port 80 on port 1443 (now showing a different certificate see [2] below)

[1] This IP is now showing a different certificate:

CN = thecupomoban.ee
OU = bushes
O = clan
L = Springfield
S = TX
C = US

[2] This IP is now showing a different certificate:

CN = laliveeralior.ch
OU = Widgits pty
O = Microsoft
L = Blackfield
S = MN
C = US

Thankfully, as a lower level spam run had occurred the other day using .docm attachments – the attachment was already blocked across all the mailservers I manage.

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to *.docm Spam run “copy” “As requested”

  1. Pingback: “TP E-Billing for Jul 15 Seq No 0006 (0866AER147) Region 033″ docm Spam run | thecomputerperson

  2. Pingback: Convincing virus e-mail “Your latest Chess Bill Is Ready” | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s