From: firstname.lastname@example.orgThe attachment is meant to be in the format email@example.com_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format firstname.lastname@example.org_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead
Date: 15 January 2016 at 10:12
Subject: Scanned image from MX-2640N
Reply to: email@example.com [firstname.lastname@example.org]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in Microsoft Word format.
The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results    ).
Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results   ).
Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.
I managed to coax a Hybrid Analysis of two of the documents   showing download locations of:
This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.
Ironically, that Ukrainian site is on 18.104.22.168 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 22.214.171.124/23, legitimate sites or not.
Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:
126.96.36.199 (Advanced Hosters B.V., NL)
188.8.131.52 (Internet Technologies Inc., US)
184.108.40.206 (Lanka Comunication Services, Sri Lanka)
220.127.116.11 (Heart Internet VPS, UK)
18.104.22.168 (Bulgarian Academy Of Sciences, Bulgaria)
22.214.171.124 (Veleuciliste U Sibeniku, Croatia)
126.96.36.199 (TE Data, Egypt)
Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.