From: Giuseppe SimsThe sender's name is randomly-generated but is always female. Also random are the order number and value, and there is an attachment in the format invoice_12345678_scan.zip that matches the reference in the document.
Date: 14 December 2015 at 14:19
Subject: Your order #25333445
Dear Valued Customer,
This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,760$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.
This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.
Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.
11 Money Way
Pittsburgh, PA 15226
Inside that ZIP file is a uniquely generated .JS file in the format invoice_XXXXXX.js or invoice_copy_XXXXXX.js which is highly obfuscated (like this) and deobfuscates to something like this.
The various versions of the macro attempts to download a binary from the following location:
I cannot get this to resolve at the moment, it turns out that the domain was only registered today.
Domain Name:miracleworld1.comI think they started spamming before the domain records could be pushed out fully. Shame.
Registry Domain ID:
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date:2015-12-14 21:24:21
Creation Date:2015-12-14 21:21:12
Registrar Registration Expiration Date:2016-12-14 13:21:11
Registrar IANA ID:460
Registrar Abuse Contact Email:firstname.lastname@example.org
Registrar Abuse Contact Phone:+603 8996 6799
Registry Registrant ID:
Registrant Name:Eliisa Laukkanen
Registrant Organization:Eliisa Laukkanen
Registrant Street:Etelaesplanadi 89
Registrant Postal Code:07810
Registrant Phone Ext:
Registrant Fax Ext:
Nameservers are DNS1.DONALDDUCKS.IN and DNS2.DONALDDUCKS.IN on 126.96.36.199 (NTCOM, Russia) and 188.8.131.52 (Dmitry Shestakov, Belize / OVH, France) respectively.
Looking at the nameservers, I can see that the following malicious domains are part of the same cluster, and I recommend you block all of them:
Although I have not been able to acquire the payload, it is almost definitely Teslacrypt.
An updated version of the script is being spammed out that looks like this when deobfuscated. This attempts to download Teslacrypt from the following URLs:
This has a detection rate of 4/55. firstwetakemanhat.com was registered just today and is hosted on:
184.108.40.206 (PE Govoruhin Vitaliy Sergeevich, Russia)
220.127.116.11 (Ideal-Hosting UG, Germany)
Nameservers are DNS1.GOGODNS.RU and DNS2.GOGODNS.RU which are hosted on the same two IPs.
The Malwr report shows more details, however this is my recommended blocklist (updated):