From: Milan RoachAttached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):
Date: 30 October 2014 11:35
Subject: Further Reminder SN4215796
Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.
Many Thanks & Kind Regards
Senior Accounts Payable Clerk
This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:
It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of Cridex.
UPDATE: a contact tells me that this malware also connects to a config file at:
..so I have updated the blocklist above to include these.