From: firstname.lastname@example.orgAttached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:
Date: 12 December 2014 at 17:17
Subject: Order - R58551
Thanks for placing order with us today! Your order is now on process.
Outright Purchase: 6949 US Dollars
Please click the word file provided below to see more details about your order.
Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@[redacted]
That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:
The ThreatExpert report shows POSTing to 18.104.22.168:8080
Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:
22.214.171.124 (Atlantic.net, US)
126.96.36.199 (Fornex Hosting, Germany)
188.8.131.52 (Briz, Ukraine)
184.108.40.206 (OVH, France)
220.127.116.11 (Ohio Public Libraries, US)
18.104.22.168 (Leaseweb, Netherlands)
A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.