From: Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.
Date: 21 April 2016 at 17:45
Subject: FW: Latest order delivery details
Hope you are good.
Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.
I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.
Many thanks and good luck
DORIC NIMROD AIR ONE LTD
This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:
Cheekily the URL references a well-known security company. The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:
184.108.40.206 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)
You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:
220.127.116.11 (OrionVM, Australia)
18.104.22.168 (Hetzner, Germany)
22.214.171.124 (PT Telecom Company, Vietnam)
126.96.36.199 (Datacate , US)
It is not clear what the payload is, but there are indications it is the Dridex banking trojan.