Wednesday, 28 January 2015

Accounts Invoice 1385 Windsor Flowers

Accounts Invoice 1385 Windsor Flowers containing a word document with embedded macro.

Just a quick update to the earlier blog entry

Payload  (Thanks to Leigh Hall for the information):
Connects to: hxxp://vivercomrequinte.com.br/js/bin.exe
Creates file: %TEMP%\sdfsdferfwe.exe

Payload Md5 Hashes:
9b1df8529ce85a0d9ccd5378afb7cbaf   [1]

Payload Analysis:

VirusTotal Report [1] (hits 2/57 Virus Scanners)


Malwr Report [1]


Hybrid-Analysis Report [1]

Connects to host located in:

France, Bulgaria, United Kingdom, Bulgaria, France, Romania, Korea Republic of

Cheers,
Steve

3 comments:

Dave said...

Macro in word doc contains the following code: http://pastebin.com/vZn3RCHP

Dave said...

Further to my previous comment, another domain is

drevenak.cz

Glen Helton said...

Is that domain what the .doc tries to reach or what the dropped .exe tries to reach?