Following on from this post about Japanese Language invoice malspam delivering Ursnif, we are currently seeing another Japanese campaign about damaged photos. These contact the same sites as mentioned in the other post to download the same malware version.
48336.doc Current Virus total detections: Payload Security Which is still showing the same error by the malware author where the download urls start http:\\ instead of http:// . Unfortunately windows ( or least all browsers) correct these errors so the malware still gets downloaded & autorun. from the various sandbox analysis reports it looks like PowerShell auto corrects the http:\\ errors ( unless it is a sandbox feature that imitates user error and corrects for it )
This one pretends to come from a DHL email address
The email looks like:
Date: Wed 14/06/2017 09:13
Subject: //ダメージ写真 (Damaged Photo)
Always I am indebted.
I will attach a damage photograph.
As usual these have trouble displaying on an English computer
Word doc looks like with usual Japanese instructions In the yellow message bar, click [Activate Content]
|Infection||Clamd: 48336.doc was infected: Doc.Macro.MaliciousHeuristic-6329080-0
Clamd: message was infected: Doc.Macro.MaliciousHeuristic-6329080-0
Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed
Received: from 126.96.36.199.dyn.user.ono.com ([188.8.131.52]:15824) by knight.knighthosting.co.uk with esmtp (Exim 4.89) (envelope-from <firstname.lastname@example.org>) id 1dL3QN-0003Rf-4R for [redacted]@our-local.co.uk; Wed, 14 Jun 2017 09:13:11 +0100 To: <[redacted]@our-local.co.uk> From: <email@example.com> Subject: =?iso-2022-jp?B?Ly8bJEIlQCVhITwlODxMPz8bKEI=?= Reply-To: <firstname.lastname@example.org> Message-ID: <email@example.com> Date: Wed, 14 Jun 2017 09:13:11 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="CC2A24534CA781196"