2017-04-19 - DRIDEX MALSPAM WITH PDF ATTACHMENTS CONTAINING EMBEDDED WORD DOCS

ASSOCIATED FILES:

BACKGROUND ON THIS CAMPAIGN:

 


Shown above:  Screenshot of today's Dridex malspam tracker.

 

EMAILS


Shown above:  Example of an email from the 1st wave of Dridex malspam.

 


Shown above:  Example of an email from the 2nd wave of Dridex malspam.

 

FIRST WAVE:

SECOND WAVE:

 


Shown above:  How attachments from both waves of malspam behave.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  More Wireshark filtering shows attempted TCP connections by the infected host.

 

URLS TO RETRIEVE DRIDEX FROM THE WORD DOCUMENT MACROS:

 

INFECTING A WINDOWS HOST BY ENABLING MACROS ON THE EMBEDDED WORD DOCUMENT:

 

OTHER ATTEMPTED TCP CONNECTIONS FROM THE INFECTED HOST:

 

MALWARE

SHA256 HASHES FOR THE ATTACHED PDF FILES:

 

SHA256 HASHES FOR WORD DOCUMENTS EMBEDDED IN THOSE PDF FILES:

 

ARTIFACTS FROM AN INFECTED WINDOWS HOST:

 

DRIDEX EXECUTABLE:

 

OTHER ARTIFACTS FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.