Date: Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]>
Subject: FW: Last Month Remit
File Validity:Thu, 30 Jan 2014 12:22:05 +0000
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it. The deception even goes as far as faking the mail headers:
Received:Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realist that the attached ZIP file with an EXE in it was probably bad news.
(qmail 6160 invoked from network); 30 Jan 2014 12:22:06 -0000
from unknown (192.168.1.88) by [redacted] with QMQP; 30 Jan 2014 12:22:06 -0000
from 95-177-119-126.aurora.managedbroadband.co.uk (220.127.116.11) by [redacted] with SMTP; 30 Jan 2014 12:22:05 -0000
from docs743.[victimdomain] (10.0.0.170) by [victimdomain] (10.0.0.31) with Microsoft SMTP Server (TLS) id U5G10C1E; Thu, 30 Jan 2014 12:22:05 +0000
from docs7075.[victimdomain] (10.39.36.29) by smtp.[victimdomain] (10.0.0.131) with Microsoft SMTP Server id MJ25NOGJ; Thu, 30 Jan 2014 12:22:05 +0000
In this case, the attachment is called Remit_[victimdomain].zip which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.
10/49. Automated analysis tools    show an attempted connection to poragdas.com on 18.104.22.168 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions.com on 22.214.171.124 on (CtrlS Private, India).