From: Mathew Doleman [email@example.com]The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors. Some investigation shows that it contains a malicious macro [pastebin].
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
The macro downloads a file from http://hiro-wish.com/js/bin.exe which is completely undetected by any AV vendor at present. According to the internal data, this is a Windows Media Player component although the compile date is today so this seems unlikely.
Developer metadataCopyright© Microsoft Corporation. All rights reserved.Publisher Microsoft CorporationProduct Microsoft® Windows® Operating SystemOriginal name wmadmod.dllInternal name wmadmod.dllFile version 11.0.5721.5145 (WMP_11.061018-2006)Description Windows Media Audio Decoder
PE header basic information
Target machine Intel 386 or later processors and compatible processorsCompilation timestamp 2014-12-05 06:30:06Entry Point 0x00006460Number of sections 3
188.8.131.52 (1&1 Internet, US)
184.108.40.206 (Ministry of Education, Thailand)
The VirusTotal report shows it phoning home t:
220.127.116.11 (Dmitry Zheltov / Hetzner, Germany)