From: email@example.comI have personally only seen one sample with an attachment Les Mills SIV035931.doc which is currently undetected by AV vendors and contains this malicious macro [pastebin]. This version of the macro attempts to download a component from:
Date: 14 January 2015 at 07:49
Subject: Les Mills Invoice
Please find attached an invoice for Les Mills goods/services. Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email firstname.lastname@example.org or call 0207 264 0200 and select option 3 to speak to a member of the team.
Les Mills Finance Team
..but this location is currently not working. However, my sources say that there is another download location of:
which is loaded by a different version of the DOC that I have not yet seen. This file is saved as %TEMP%\dserrttfsdf.exe and has a VirusTotal detection rate of 2/57. The same source says that it downloads a DLL from the following IPs:
22.214.171.124 (HKBN, Hong Kong)
126.96.36.199 (1&1, US)
188.8.131.52 (Webhuset Datasenter, Norway)
Some of this activity can be seen in the Malwr report including the dropped DLL which has a VirusTotal detection rate of just 2/57.