Monday, 8 July 2013 / spam

This spam is unusual in that it comes through an apparently genuine commercial email provider ( and leads to malware hosted on Amazon's cloud service, There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:

The email appears to originate from which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through (

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick] [https] (VirusTotal report) which then downloads a further executable from [donotclick] [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to  which attempts to connect to an unregistered domain of (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the hasn't been registered quite yet but will be later. VirusTotal does report some other badness on so this is probably worth blocking.

Recommended blocklist:


Ryan Harris said...


SendGrid is aware of this malicious spammer using our system to carry out their payload. The spammer is using a partner of ours, Microsoft's Azure services, to sneak on through. We have been working with Azure's Fraud team to prevent this from happening again.

Sorry for the inconvenience and headache this has caused for the community.

Ryan Harris
Lead Abuse Engineer

Conrad Longmore said...

@Ryan Harris: cool, thanks. So it *was* a Microsoft IP!