From "A . Baird" [ABaird@jtcp.co.uk]Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday   . The payload is meant to be the Dridex banking trojan.
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
We have been paid for much later invoices but still have the attached invoice as
Can you please confirm it is on your system and not under query.
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
P Save Paper - Do you really need to print this e-mail?
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:
18.104.22.168 (WebSiteWelcome, US)
22.214.171.124 (CAT BB Net, Thailand)
126.96.36.199 (Advanced Internet Technologies Inc, US)
188.8.131.52 (Gerrys Information Technology (pvt) Ltd, Pakistan)