“OUR REF : TIM:3003” virus e-mail with ace (zip-like) attachment

Another new work week and another set of virus e-mails. This time to a small subset of the addresses compared to normal.

From: Abdul Aziz <Abdul.Aziz@innovate-indonesia.com>
Subject: OUR REF : TIM:3003
Attachment: document2015-pdf.ace
OUR REF : TIM:3003

Dear Sir,

This Email is in response to your Quotation to our Sales Department, Please quote the following Orders in united state dollars and also see the new changes in our order and Email me your best possible price with approximate lead time and availability for required samples in attached file.


German Michel
Purchase/Sales Manager.
Tel : +9197157454744 or 9197134364544
Fax : +91972 6468 47
E-mail lgerman@fahedtrade.com

The headers were as follows

Received: from innovate-indonesia.com ( by
AM1FFO11OLC005.mail.protection.outlook.com ( with Microsoft
SMTP Server id via Frontend Transport; Mon, 17 Aug 2015 13:24:47
Received: from WorldClient by cepat.net.id (MDaemon PRO v11.0.0)
with ESMTP id md50001572187.msg
for <REDACTED@ADDRESS>; Mon, 17 Aug 2015 20:24:09 +0700
X-Spam-Processed: cepat.net.id, Mon, 17 Aug 2015 20:24:09 +0700
(not processed: message size (1407207) exceeds spam filter configured max size of (204800))
X-Authenticated-Sender: Abdul.Aziz@innovate-indonesia.com
X-Return-Path: prvs=16717dd865=Abdul.Aziz@innovate-indonesia.com
X-Envelope-From: Abdul.Aziz@innovate-indonesia.com
Received: from [] by innovate-indonesia.com via WorldClient with HTTP;
Mon, 17 Aug 2015 20:23:56 +0700
Date: Mon, 17 Aug 2015 20:23:56 +0700
From: Abdul Aziz <Abdul.Aziz@innovate-indonesia.com>
Subject: OUR REF : TIM:3003
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”0817-1323-56-PART_BREAK”
Message-ID: <WC20150817132356.470B4C@innovate-indonesia.com>
X-Mailer: WorldClient 11.0.0

The headers leak that the virus was submitted to a, I guess, hacked webmail server. The submitting connection was on a mobile broadband provider (MTN) in South Africa.

descr: Mobile Broadband Internet Pretoria

Inside the attachment was “document2015-pdf.exe” which, when run, copied itself to:
C:\Users\User\AppData\Roaming\Windows Update.exe
SHA256 7a3f44769c6a3b4730d6b693e3a919c6123389cb96e471d960ca7e1324429b84
VirusTotal Report

And then started a sub process “isshost.exe”
SHA256 6d04ffe7b9eb3847963e8afd8fd695c564770c8996e8af1f063a01872a86bafc
VirusTotal Report

It tried to make a request to whatismyipaddress.com but was rejected because the request didn’t contain a valid user agent!

It then didn’t seem to do anything more – possibly because the whatismyip request didn’t complete?

An interesting string came up in the “isshost.exe” file:
“SUEZ Company 1995 srl”
and in the “document2015-pdf.exe” file:
“Please change this line. Thank you.”
“Please change this line too”

These strings have not been around for long. The earliest I can find is a file submitted on the 14th August 2015. One automated analysis seems to suggest it is after FTP passwords.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s