From: Adobe Billing [email@example.com]
Date: 20 October 2014 11:33
Subject: Adobe Invoice
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.
© 2014 Adobe Systems Incorporated. All rights reserved.
1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.
According to the Malwr report, this binary then reaches out to the following URLs:
The IPs in question are 220.127.116.11 (Virpus, US) and 18.104.22.168 (Intergenia, Germany).
The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.