From: firstname.lastname@example.orgSo far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 27 February 2015 at 09:14
Subject: Dennys Invoice INV650988
To view the attached document, you will need the Microsoft Word installed on your system.
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)
Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
188.8.131.52 (Centarra Networks, US)
184.108.40.206 (Leaseweb, Netherlands)
220.127.116.11 (SuperHost.pl, Poland)
18.104.22.168 (MWTV, Latvia)
22.214.171.124 (Webazilla, US)
126.96.36.199 (Broadband Multiplay Project, India)
188.8.131.52 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist: