From: Laurence Cottle [firstname.lastname@example.org]
Date: 18 February 2016 at 13:35
Any chance of getting this invoice paid, please?
Attached is a file unnamed document.docm which comes in several different versions.
Third-party analysis (thank you!) reveals that there are download locations at:
This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.
The malware phones home to:
Out of those, the most supect IPs are:
126.96.36.199 (Iliad / Online S.A.S., FR)
188.8.131.52 (myidealhost.com / Hetzner, DE)
184.108.40.206 (Vstoike.com / Fishnet Communications, RU)
220.127.116.11 (Joes Datacenter LLC, US)