From: Virgilio Bradley
Date: 16 December 2015 at 14:37
Subject: Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice
Dear Valued Customer,
This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.
Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.
Customer Service Department
182 Shobe Lane
Denver, CO 80216
The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.
According to this Malwr report, the macro in the document downloads a binary from:
This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:
18.104.22.168 (Hosting Ukraine Ltd, Ukraine)
22.214.171.124 (Ideal-Hosting UG, Germany)
Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:
According to this Malwr report, it then phones back to these legitimate but hacked domains:
Recommended minimum blocklist: