From: Jennings.KarlaVk@ttnet.com.tr
Date: 24 May 2016 at 11:48
Subject: Account Compromised
Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 108.127.172.96)
Reason: unusual IP
Please refer to the attached report to view further detailed information.
BMJ Group
tel. (4813)/675337 33
> Sent from iPad
--------------
From: Hooper.Cecilep@hotelaviatrans.am
Date: 24 May 2016 at 11:40
Subject: Suspicious logon attempt
Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 223.149.173.250)
Reason: unusual IP
Please refer to the attached report to view further detailed information.
YUJIN INTL LTD
tel. (4020)/438007 92
> Sent from iPad
In the two samples I have seen, there are attachments named Security Report.zip and Security Notification.zip which in turn contain a Word document with a name such as Security Report ID(11701573).doc
The two documents that I have seen have detection rates of about 3/56 [1] [2] but according to these automated analyses [3] [4] [5] [6] it seems that the infection doesn't work properly, failing to find a created file harakiri.exe. This Malwr report shows a dropped file named harakiri.pfx which isn't an executable, my guess is that this is an encrypted file that hasn't decrypted properly.
UPDATE
According to a third party analysis, this apparently drops Dridex which phones home to:
210.245.92.63 (FPT Telecom Company, Vietnam)
162.251.84.219 (PDR Solutions, US)
80.88.89.222 (Aruba, Italy)
213.192.1.171 (EASY Net, Czech Republic)
Recommended blocklist:
210.245.92.63
162.251.84.219
80.88.89.222
213.192.1.171