Date Thu, 21 Jan 2016 15:13:36 +0530
Subject 201552 ebill
Customer No : 8652
Email address : [redacted]
Attached file name : 8652_201552.DOC
Please find attached your invoice for 201552.
To manage your account online - please visit Velocity.
Alternatively please contact us on:
Ground Floor, Unit 2,
Galway Technology Park,
Parkmore, Galway, H91KFD3
Company Reg No : 233354
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results   )
for which the Malwr reports    indicate downloads from the following locations:
montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to.
18.104.22.168 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
22.214.171.124 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
126.96.36.199 (Advanced Internet Technologies Inc., US)
188.8.131.52 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.