Wednesday, April 29, 2015

2015-04-29 Phish of the day

Just received this one.  It comes with a base64 encoded attachment named "check.doc".  Keep your eyes open for this one.

----- Begin Phishing Email -----

Are you sure you issued this check? Your signature looks bogus

----- End Phishing Email -----

----- Begin Phishing Email Header Info -----

Return-path: <shrewed49@rmeasdale.com>
Received: from 84-232-236-159.pppoe-business.brasov.rdsnet.ro
 ([84.232.236.159]) by vms172077.mailsrvcs.net
 (Oracle Communications Messaging Server 7.0.5.34.0 64bit (built Oct 14 2014))
 with ESMTP id <0NNK00AY3NDB4L20@vms172077.mailsrvcs.net> for
 <recipient_email_omitted>; Wed, 29 Apr 2015 09:10:30 -0500 (CDT)
Date: Wed, 29 Apr 2015 16:14:30 +0200
From: "Ashlee Tyson" <shrewed49@rmeasdale.com>
Subject: Re: payroll checkare
X-Originating-IP: [84.232.236.159]
To: <recipient_email_omitted>Message-id: <1439X27C.3641794@rmeasdale.com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_PgzM7siDShtPG6KvVVfGMg)"
X-Verizon-Spam: Yes
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.1 cv=LYyLMYaK c=1 sm=1 tr=0 p=rJqd6rZlIhYbTn4MaQAA:9
 p=H1u9zqURehgJvYRmWIMA:9 a=a8IUkKEvmxiWzBY6Ruf4/A==:117
 a=a8IUkKEvmxiWzBY6Ruf4/A==:17 a=TBwV841PfKQA:10 a=ARMftL3jAAAA:8
 a=oR5dmqMzAAAA:8 a=e9J7MTPGsLIA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10
 a=cKsnjEOsciEA:10 a=gZbpxnkM3yUA:10 a=wPNLvfGTeEIA:10 a=DJSPjBAeKj4A:10
 a=QPrpmIQDwqUA:10 a=RXpN45yG6AAA:10 a=diV1Cm6KfS4A:10 a=tclcd6dtLQvEqt9_mmAA:9
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
 Thunderbird/24.2.0
Original-recipient: rfc822;<recipient_email_omitted>
This is a multi-part message in MIME format.
--Boundary_(ID_PgzM7siDShtPG6KvVVfGMg)
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT
Are you sure you issued this check? Your signature looks bogus
--Boundary_(ID_PgzM7siDShtPG6KvVVfGMg)
Content-type: application/msword; name=check.doc
Content-transfer-encoding: base64
Content-disposition: attachment; filename=check.doc

<Encoding_removed>

Per VirusTotal:

SHA256: dc967761e041aeb6c2f518ebeff8f52551ba32d71887eb04996c3ea6db43e854
File name: check.doc
Detection ratio: 4 / 57 
Analysis date: 2015-04-29 14:44:19 UTC ( 0 minutes ago ) 
AVware  LooksLike.Macro.Malware.gen!d1 (v)  20150429 
AhnLab-V3  W97M/Downloader  20150429 
Fortinet  WM/Agent!tr  20150429 
VIPRE  LooksLike.Macro.Malware.gen!d1 (v)  20150429 

--Boundary_(ID_PgzM7siDShtPG6KvVVfGMg)
Content-type: TEXT/PLAIN
Content-transfer-encoding: 7BIT

--Boundary_(ID_PgzM7siDShtPG6KvVVfGMg)--

----- End Phishing Email Header Info -----
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)