The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.
From: Kang Li [mailto:firstname.lastname@example.org]
Sent: 10. juni 2015 09:35
Please find attached our new order and send P/I against 50% advance payemnt
An examination of the underlying PDF file shows two URLs listed:
In turn these redirect to:
The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:
This page 404s, but was previously hosted on a bad server at 126.96.36.199 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.
The "megatrading.hol.es" (hosted on 188.8.131.52 by Hostinger - VT report) landing page looks like a straightforward phish:
Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.