Malware Email: “Scanned document from MX-2600N”/”[email protected]

This fake scanned document has a malicious payload attached:

FROM: [email protected]
REPLY TO: [email protected]
SUBJECT: Scanned document from MX-2600N
DATE:Sun, 11 Oct 2015 13:59:06

Scanned document from MX-2600N

Attached file is scanned document in XLS format. The filename of the attached file is: [email protected]victimdomain.tld_20151011_160214.xls (where victimdomain.tld is the victim’s own domain)

File name: [email protected]_20151011_160214.xls
File size: 103.5 KB ( 105984 bytes )
MD5 hash: 9e3f2ef34def90b30b8c1e3ea6ef421f
SHA1 hash: a3f55fa1ae7026d692df893a5b7c22743e15c9be
SHA256 hash: 20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb
Detection ratio: 28 / 56
First submission: 2015-10-07 09:17:03 UTC
VirusTotal link: https://www.virustotal.com/en/file/20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb/analysis/
Hybrid-Analysis link: https://www.hybrid-analysis.com/sample/20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb?environmentId=1

Further analysis to the excel spreadsheet indicates that it contains malicious macros (Analysis of the XLS file has already been performed by @Dynamoo and posted to pastebin ). The file would download a binary from the URL below

alarmtechcentral[.]com/fw43t2d/98kj6[.]exe

The executable is already detected by VT (28/52 )  https://www.virustotal.com/en/file/3409a5e117bcce19fc616ab870ab04b8bbdebd5952482ea932c3b02c609f8c10/analysis/

Share this Story!Email this to someoneShare on Google+0Share on Facebook0Tweet about this on TwitterPin on Pinterest0Share on Reddit0Share on LinkedIn0

Leave a Reply