Date: Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.
From: Ladonna Gray [email@example.com]
Subject: inovice 2110254 June
This email contains an invoice file attachment
UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.
UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 126.96.36.199.
All the IP addresses listed belong to Clodo-Cloud in Russia:
Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it: