Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake America Airlines virus spam email claims your card has been charged and your ticket confirmation is attached.

Attached .doc has malicious macro to download malware.


Subject: Order Confirmation for Flight # AA90182   

  Dear Customer, 

Your order has been successfully processed and your card has been charged for the required amount.

FLIGHT NUMBER AA90182
ELECTRONIC 903890108
DATE MAR 12 2015
DEPARTURE TIME 11:15 AM
DESTINATION / New York
TOTAL PRICE / 420.00 USD

Your ticket has been attached to this order confirmation email.
Microsoft Word must be installed to open the attached document.

Thank you

America Airlines.

order_AA90182.doc (109)

Header Examples:

Spoofs aa.com in From headers and some random junk in Envelope headers (MAIL FROM connection string).

Received: from 190-72-237-127.dyn.dsl.cantv.net [190.72.237.127]
X-Envelope-From: pitchescy @rossrosenthal.com
From: "America Airlines" <orders @aa.com>
Subject: Order Confirmation for Flight # AA90182

Received: from host235-248-static.229-95-b.business.telecomitalia.it [95.229.248.235]
X-Envelope-From: overlayh @royalchinaclub.com
From: "America Airlines" <orders @aa.com>
Subject: Order Confirmation for Flight # AA90182

Received: from MFLFNNTE [183.91.30.31]
X-Envelope-From: everlastingv6 @realenergy.com
From: "America Airlines" <orders @aa.com>
Subject: Order Confirmation for Flight # AA90182

Malware

12 March 2015 

Attachment : malicious .doc with macro : order_AA90182.doc

VirusTotal report 

McAfee		W97M/Downloader.aee
TrendMicro HS_BARTALEX.SM

metadata:
code_page Cyrillic

The document will have some junk characters and will tell you "If you document have incorrect encoding - enable macro". The macro will decode the junk and download malware.

Picture of malicious doc being sneaky.

An example of the macro can be seen at this pastebin. It wants to download an executable from places like:

91.194.254.213/us/file.jpg  <-- actually an .exe file 

Downloaded executable : file.jpg aka file.exe ( tordal / hancitor / chancitor / chaintor )

VirusTotal report 

AhnLab-V3 	Trojan/Win32.Chanitor 
McAfee Generic-FAWE!63CC107D6F44
Panda Generic Suspicious

Malwr.com report

Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Installs itself for autorun at Windows startup

Also:

Fun icon!

Picture of malware icon that the macro downloads.

Network traffic : 
api.ipify.org:443
xdndo2okt43cjx44.tor2web.blutmagie.de:443
xdndo2okt43cjx44.tor2web.fi:443
xdndo2okt43cjx44.tor2web.org:443

 

 If this was at least a little helpful, how about a +1, Like, or Tweet?