"Remittance advice" spam has a mystery XML attachment

I haven't worked this out yet, but this appears to be a malware spam run using an XML document that contains an ActiveX element.

From:    Trudy Trevino
Date:    4 March 2015 at 09:29
Subject:    Remittance advice [Rem_0559ZX.xml]

Good morning

You can find remittance advice [Rem_0559ZX.xml] in the attachment

Kind Regards
Trudy Trevino
ROSNEFT OJSC

Other example fake senders are:

Georgette Whitfield
DELTEX MEDICAL GROUP

Jasmine Hansen
ACER INC

Jodi Cooper
JOHNSON SERVICE GROUP PLC

Rebekah Dodson
VICTREX

Edmund Molina
600 GROUP

Callie Brewer
BIOQUELL

Harriett Ferguson
BRISTOL & WEST PLC

Gabrielle Alvarado
JPMORGAN US SMALLER CO INV TST PLC

The name of the XML file in the attachment (and also the body text and subject) varies but is always in the format Rem_1234AB.xml. So far I have seen three different versions (clicking the MD5 leads to a Pastebin with the XML attachment):

• MD5 B2E594BDE90A1C998F3A7D892BAC925B - VT 0/57
• MD5 77739AB6C20E9DFBEFFA3E2E6960E156   - VT 0/57
• MD5 877E6EC17F307C319E3084D1EDFC40A4  - VT 0/57

The XML attachment contains a Base 64 encoded section which starts with the string "ActiveMime" which indicates that it is some sort of ActiveX element. I haven't been able to deduce the purpose of this, and the Malwr report is inconclusive but does show a command prompt being opened. The payload is most likely the Dridex banking given the other characteristics of the spam.

There's probably little reason to accept XML documents by email. Blocking these at your email gateway might be a good idea.

UPDATE 1

An analysis from another party indicates the following download locations:

http://92.63.87.12:8080/azvxjdfr31k/abs5ajsu.exe
http://178.32.184.11:8080/azvxjdfr31k/abs5ajsu.exe
http://46.30.42.90:8080/azvxjdfr31k/abs5ajsu.exe

The following are the servers the malware phones home to, I recommend blocking them:

62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111

More analysis to follow..