from: [victim] via sendgrid.me
date: 8 July 2013 19:08
subject: Urgent 6:08 PM 244999
Signed by: sendgrid.me
The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.
ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.
The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 126.96.36.199 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.
Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 188.8.131.52 so this is probably worth blocking.