“Booking Confirmation – Accumentia (16/9/15)” .doc macro attachment virus

Yet more of these today.. this one:

From: David Nyaruwa <david.nyaruwa@soci.org>
Subject: Booking Confirmation – Accumentia (16/9/15)
Atachment: Accumentia Booking (16-9-15).doc

Please find attached a proforma invoice for Accumentia’s booking of the council room on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance due by the date of the meeting.

Regards,

David Nyaruwa
Project Accountant
SCI, 14-15 Belgrave Square, London, SW1X 8PS
T: +44 (0)20 7598 1536 E: mailto:david.nyaruwa@soci.org W: http://www.soci.org
SCI – where science meets business

Phenotypic Approaches in Drug Discovery, 18 March 2015, SCI, London, UK
Arrested Gels: Dynamics, Structure and Application, 23-25 March 2015, Gonville & Caius, Cambridge, UK
32nd Process Development Symposium, 25-27 March 2015, Churchill College, Cambridge, UK
Reagentless Synthesis, 1 April 2015, SCI, London, UK

For the full events listing and more information go to http://www.soci.org/Events

The attachment was “Accumentia Booking (16-9-15).doc” SHA256 08f309a099ca24a110088d9d6f386dec982c343c71989a2e77dd8ac0bb95bff2
VirusTotal Report

The document contained the following 3 Macro Modules:

https://pastebin.mozilla.org/8841700
https://pastebin.mozilla.org/8841701
https://pastebin.mozilla.org/8841703

When the macro is run it starts with this:

Sub autoopen()

VEeve (8.2)

End Sub

Sub VEeve(FFFFF As Long)
KLJLGBk

End Sub

The macro downloads it’s payload from:

http://hunde-detektive.de/75yh4/8g4gffr.exe
SHA256 1bac0544e05b7914ee296ce1cee356d532487038e2b3508934c09b454a9b5633
VirusTotal Report / Malwr Report

Which then was saved to:

C:\Users\User\AppData\Local\L7ExGyZD\j1wfFYPg.exe

Which in turn then accessed
https://194.58.111.157:448/

and then quit (I presume it detected virtualbox).

The CnC server (194.58.111.157) is the same as being used in the Ofcom spam run earlier this morning.

Further communication after that was with:

https://95.163.121.252/

Which then brings us back to the obamacare certificates (as seen in the Chess invoice run):

CN = trtheawa.ml
OU = obamacare
O = democracy
L = Houston
S = TX
C = US
Thumbprint: 68f0a2ef0a7eadc2e055203327309ba7abdb8b61

Start date of certificate 31st July 2015 (the same date as the new domain registered under the Ofcom spam run article).

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s