From: firstname.lastname@example.orgSo far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 27 February 2015 at 09:14
Subject: Dennys Invoice INV650988
To view the attached document, you will need the Microsoft Word installed on your system.
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)
Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
126.96.36.199 (Centarra Networks, US)
188.8.131.52 (Leaseweb, Netherlands)
184.108.40.206 (SuperHost.pl, Poland)
220.127.116.11 (MWTV, Latvia)
18.104.22.168 (Webazilla, US)
22.214.171.124 (Broadband Multiplay Project, India)
126.96.36.199 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist: