From: Kelley SmallThe sender's name is randomly generated, for example:
Date: 17 December 2015 at 08:39
Subject: 12/16 A Invoice
Please find attached a recharge invoice for your broadband.
There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results       ). Detection rates are close to zero.
The Malwr reports for those documents is a mixed bag        is a mixed bag, but overall they spot data being POSTed to:
Sources tell me there is another download location of:
Those IPs are likely to be malicious and belong to:
18.104.22.168 (Veraton Projects Ltd, Netherlands)
22.214.171.124 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
126.96.36.199 (Hostpro Ltd, Ukraine)
They also GET from:
A file karp.exe is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:
188.8.131.52 (SC-Nextra Telecom SRL, Romania)
It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.
The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.