From: Carol Mcgowan
Date: 15 December 2015 at 09:09
Subject: Reference Number #89044096, Notice of Unpaid Invoice
Dear Valued Customer,
It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.
Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.
The payment notice is enclosed to the letter down below.
Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54, and which contains this malicious macro [pastebin] which attempts to download a binary from the following location:
This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt.
The WHOIS details for it are:
Registrant Name: Quinciano Huerta
Registrant Organization: Quinciano Huerta
Registrant Street: Vila Fonteles 163
Registrant City: Fortaleza
Registrant State/Province: CE
Registrant Postal Code: 60741-080
Registrant Country: BR
Registrant Phone: +55.8568257712
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: firstname.lastname@example.org
Nameservers are dns1.saymylandgoodbye.in and dns2.saymylandgoodbye.in hosted on 184.108.40.206 (Serverius, Netherlands) and 220.127.116.11 (Awax Telecom, Russia)
Those two IPs host or have recently hosted the following potentially malicious domains:
Recommended minimum blocklist:
There is a good analysis of this malware at TechHelpList including the C2 domains involved.