Friday, 24 April 2015

Colin Fox Invoice 519658 Sales Invoice 519658.pdf malware

Colin Fox Invoice 519658 Sales Invoice 519658.pdf colin@nofss.co.uk malware


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: Colin Fox {colin@nofss.co.uk}
Subject: Invoice 519658
Message Body:
Please find Invoice 519658     attached

 Attachment:
Sales Invoice 519658.pdf
Sha256 Hashes:
3de96921a07553cf5ef25cab246480f04383d44cc921042e1462b7ffbe1fe720 [1]
7ae59f17744bf995747a5c23a1e7fe3710cbe79c2554ffd935053739c67aa88f [2]
5b7d4e88f901f5a7519b3f3ecaf8594d7366fec6f3b4acaf51a1a5175996b4d9 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 2/57)
VirusTotal Report: [2] (Detection 2/57)
VirusTotal Report: [3] (Detection 2/57)

Malwr Report: [1]
Malwr Report: [2]
Malwr Report: [3]

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]

Notes:

Being detected with Sanesecurity signatures as:
Sanesecurity.Malware.24852.MacroHeurGen.GnIo.UNOFFICIAL FOUND

Pdf contains JavaScript to launch:


Ppdf drops a word document containing macros, so DO NOT SAVE
OR OPEN THIS FILE:



NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

7 comments:

Anonymous said...

Thanks for the heads up - had this email in my inbox this morning.

Anonymous said...

Thx, me to.

SWY said...

Me too! Thx.

Anonymous said...

I'm a complete idiot and wasn't paying much attention and got as far as your last screenshot. As soon as this popped up i hit cancel to NOPE out of there. The pdf still appeared with "Hello" written on it.

Im currently scanning the crap out of my system. Assuming i dont manage to find anything do you think i should be ok?

Mloza said...

So, no problem if I opened this in a mac...?

Mloza said...

So, no problem if I opened this in a mac...?

Matthew Thompson said...

My company got a few of these this morning, Slipped past all our primary defenses. Thankfully we have a good culture of not opening things we don't know.

This one was really sneaky and not how I wanted to start my Friday morning.