From: Orders - TSSC [Orders@thesafetysupplycompany.co.uk]So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
The Sales Team
This Hybrid Analysis on the first sample shows it downloading from:
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
184.108.40.206 (Advanced Internet Technologies Inc., US)
220.127.116.11 (TE Data, Egypt)
18.104.22.168 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.
Dropped file MD5:
This related spam run gives some additional download locations:
Sources also tell me that there is one at: