Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [firstname.lastname@example.org]
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Global Payments and Cash Management
Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
"SAVE PAPER - THINK BEFORE YOU PRINT!"
The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.
The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (18.104.22.168, Hostinger International US) which might be worth blocking.