From: Laurence Cottle [email@example.com]
Date: 18 February 2016 at 13:35
Any chance of getting this invoice paid, please?
Attached is a file unnamed document.docm which comes in several different versions.
Third-party analysis (thank you!) reveals that there are download locations at:
This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.
The malware phones home to:
Out of those, the most supect IPs are:
184.108.40.206 (Iliad / Online S.A.S., FR)
220.127.116.11 (myidealhost.com / Hetzner, DE)
18.104.22.168 (Vstoike.com / Fishnet Communications, RU)
22.214.171.124 (Joes Datacenter LLC, US)