Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm..
This transmission may contain information that is privileged and strictly confidential. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.
If you received this transmission in error, please contact the sender and delete the material from any computer immediately. Thank you.
Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:
This download site is hosted on 126.96.36.199 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.
Automated analysis tools     show attempted communications with the following IPs:
188.8.131.52 (TheFirst-RU, Russia)
184.108.40.206 (Hetzner, Germany)
220.127.116.11 (OneGbits, Lithuania)
18.104.22.168 (Fishnet Communications, Russia)
22.214.171.124 (The University of Iceland, Iceland)
126.96.36.199 (OVH, France / Bitweb LLC, Russia)
188.8.131.52 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.