From: Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
Date: 13 May 2015 at 11:39
Subject: Need your attention,''Important notice
We have received a payment from you for the sum of £ 686. Please would you provide me with a remittance, in order for me to reconcile the statement.
I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564 less the £3254.00 received making a total outstanding of £ 878. We would very much appreciate settlement of this.
As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.
If you need any copy invoices please do not hesitate to contact us
From: Rowena Mcconnell [RowenaMcconnellev@telemar.it]
Date: 13 May 2015 at 11:38
Subject: Financial information
Please see attached the copy of the remittance.
Please can you send a revised statement so we can settle any outstanding balances.
From: Jimmie Cooley [JimmieCooleyzils@fsband.net]
Date: 13 May 2015 at 11:34
Subject: Important information
Please find attached a remittance advice, relating to a payment made to you.
Seniour Finance Assistant
Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.
If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.
This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 126.96.36.199 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.