Malware spam: "Sent from my Samsung device" leads to Locky

This rather terse spam has a malicious attachment:

From:    Ila
Date:    18 July 2016 at 13:01
Subject:    scan0000511

Sent from my Samsung device

The sender and subject vary, but the subject seems to be in a format similar to the following:

scan0000511
SCAN000044
COPY00002802

Attached is a .DOCM file with the same name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading from one of the following locations:

bursaforex.home.ro/54ghnnuo
car-sound.go.ro/54ghnnuo
cats.ugu.pl/54ghnnuo
dmb.republika.pl/54ghnnuo
eightplusnine.com/54ghnnuo
enpitsutenpura.web.fc2.com/54ghnnuo
gastro411.com/54ghnnuo
howtosucceed.tripod.com/54ghnnuo
iss0.tripod.com/54ghnnuo
klasste.tripod.com/54ghnnuo
marcinek.republika.pl/54ghnnuo
naturopatheenligne.free.fr/54ghnnuo
pacyna2.republika.pl/54ghnnuo
pichuile.free.fr/54ghnnuo
sgvillage.com/54ghnnuo
static.indirveoyna.com/54ghnnuo
www.carboplast.it/54ghnnuo

The payload is Locky with a detection rate of 4/53. It phones home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)

That's a subset of the IPs found here, so I recommend you block the following IPs:

77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 

Malware spam with random hexadecimal number leads to Locky

I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).

My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:

blingberry24.com/90ujn3b8c3
danseduchat.com/90ujn3b8c3
harveyventuresltd.com/90ujn3b8c3
noveltybella.com/90ujn3b8c3
www.proxiassistant-ao.com/90ujn3b8c3
www.sacandolalengua.com/90ujn3b8c3

The payload is Locky ransomware with a detection rate of 3/52. The same source says that C2 locations are:

89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)

Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:

89.108.84.42
148.163.73.29

UPDATE 2016-07-08

A variant of this spam run is in progress which adds the words RE, FW, Scan, Emailing or File to the random number. A trusted source (thank you) informs me that the download locations for the DOCM files in this case are:

abschlepp-taxi24.at/87yg5fd5
caijiachina.com/87yg5fd5
drpampe.com/87yg5fd5
felicecremesini.com/87yg5fd5
fermmedia.com/87yg5fd5
gebrauchtkauf.at/87yg5fd5
kurumenishimura.com/87yg5fd5
manutenzionecarrier.com/87yg5fd5
seferworld.com/87yg5fd5
snupress.com/87yg5fd5
themeidea.com/87yg5fd5

A malicious file is dropped with a detection rate of 3/55 which then phones home to the following server:

51.255.172.55 (OVH, France)

I recommend that you blog traffic to that IP.

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.

Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x

There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)

Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24

Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain

In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..

This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24

Malware spam: "Neue Abrechnung Nr. 746441" / support@sipcall.de

This German-language spam has a malicious attachment:

From:    support@sipcall.de
Date:    27 May 2016 at 10:57
Subject:    Neue Abrechnung Nr. 746441


Guten Tag

Im Anhang erhalten Sie die neue Rechnung des vergangenen Monates mit der Abrechnungsnummer 746441.

Für eine fristgerechte Bezahlung danken wir Ihnen. Bei Fragen oder Anregungen steht Ihnen unser Kundendienst gerne zur Verfügung.


Freundliche Grüsse
Ihr VoIP Provider


Dies ist eine automatisch generierte Nachricht. Antworten auf diese E-Mail können nicht bearbeitet werden.

Reference numbers vary. Attached is a randomly-named Word document (e.g. INV842038-746441.docm). The sample I submitted to Malwr showed it downloading a binary from:

www.ding-a-ling-tel.com/98yh87nb6v4

Other sources indicate additional download locations at:

egadget.ru/98yh87nb6v4
www.samrhamburg.com/98yh87nb6v4
bridgeplacements.com/98yh87nb6v4
birlesimsucuklari.com/98yh87nb6v4
ecpi.ro/98yh87nb6v4
wondervalley.in/98yh87nb6v4
acnek.com/98yh87nb6v4
cacpa.org/98yh87nb6v4
cobrebactericida.org/98yh87nb6v4
greenwfms.com/98yh87nb6v4
iwebmediasavvy.com/98yh87nb6v4
projectodetalhe.pt/98yh87nb6v4
renaudsfurniture.ca/98yh87nb6v4
saintkatherine.orthodoxy.ru/98yh87nb6v4
www.orchidealito.it/98yh87nb6v4

There are probably other locations too.

An executable is dropped with a detection rate of 3/56. The Hybrid Analysis and DeepViz report both indicate different phone-home locations:

193.9.28.13 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
5.152.199.70 (Redstation, UK)

Private sources also indicate C2s at:

212.109.219.31 (JSC Server, Russia)
107.181.187.12 (Total Server Solutions, US)

The payload is Locky ransomware.

Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12

Malware spam: "Following the phone conversation with the accounting department represantatives I'm sending you the invoices."

These fake financial spams come from different companies, all with a malicious attachment.

From:    Frank.ClaraZO@pr-real.com
Date:    25 May 2016 at 11:34
Subject:    The invoices from INCHCAPE PLC


Hello,
Following the phone conversation with the accounting department represantatives I'm sending you the invoices.

Thank you for attention,
Kind regards
Clara Frank
INCHCAPE PLC
tel. (2045)/641493 54

> Sent from Iphone

Attached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56. Hybrid Analysis of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application.

This PIF file itself has a detection rate of 6/56 but automated analysis [1] [2] [3] is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware.

Malware spam: "Account Compromised" / "Suspicious logon attempt"

These fake security warnings come with a malicious attachment:

From:    Jennings.KarlaVk@ttnet.com.tr
Date:    24 May 2016 at 11:48
Subject:    Account Compromised

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 108.127.172.96)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

BMJ Group
tel. (4813)/675337 33

> Sent from iPad

--------------

From:    Hooper.Cecilep@hotelaviatrans.am
Date:    24 May 2016 at 11:40
Subject:    Suspicious logon attempt

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 223.149.173.250)
Reason: unusual IP
Please refer to the attached report to view further detailed information.

YUJIN INTL LTD
tel. (4020)/438007 92

> Sent from iPad

In the two samples I have seen, there are attachments named Security Report.zip and Security Notification.zip which in turn contain a Word document with a name such as Security Report ID(11701573).doc

The two documents that I have seen have detection rates of about 3/56 [1] [2] but according to these automated analyses [3] [4] [5] [6] it seems that the infection doesn't work properly, failing to find a created file harakiri.exe. This Malwr report shows a dropped file named harakiri.pfx which isn't an executable, my guess is that this is an encrypted file that hasn't decrypted properly.

UPDATE

According to a third party analysis, this apparently drops Dridex which phones home to:

210.245.92.63 (FPT Telecom Company, Vietnam)
162.251.84.219 (PDR Solutions, US)
80.88.89.222 (Aruba, Italy)
213.192.1.171 (EASY Net, Czech Republic)

Recommended blocklist:
210.245.92.63
162.251.84.219
80.88.89.222
213.192.1.171

Malware spam: "Please See Attached" / "Statement 6BBC0E"

This fake financial spam leads to malware. Details change slightly from email to email:

From:    Administrator [adminHb@victimdomain.tld]
Date:    5 May 2016 at 11:29
Subject:    Statement 6BBC0E

Please See Attached

______________________________________________________________________
Scanned by MailDefender Plus, powered by Symantec Email Security.cloud
http://www.intycascade.com/products/symantec/
______________________________________________________________________
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

It must be safe.. scanned by both Symantec and Avast! Well, of course that's just BS and the attached DOC file leads to malware, specifically the same payload as seen in this slightly earlier spam run.

Malware spam: "DocuCentre-IV" / "Scan Data"

This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:

From:    DocuCentre-IV [DocuCentre1230@victimdomain.tld]
Date:    5 May 2016 at 10:27
Subject:    Scan Data

Number of Images: 1
Attachment File Type: PDF

----=_Part_45251_4627454344.4826709420825--

Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1] [2] [3] [4] [5] [6]. Various automated analyses of these documents [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] show a binary being downloaded from the following locations:

fm1.ntlweb.org/87hcnrewe
iconigram.com/87hcnrewe
www.sammelarmband.de/87hcnrewe
hospice.psy.free.fr/87hcnrewe

This dropped file has a detection rate of 5/46. This Hybrid Analysis and this DeepViz report show subsequent network traffic to:

192.241.252.152 (Digital Ocean, US)
195.169.147.26 (Culturegrid.nl, Netherlands)
70.164.127.132 (Southland Technology, US)

The characteristics of the payload suggest this is the Dridex banking trojan.

Recommended blocklist:
192.241.252.152
195.169.147.26
70.164.127.132

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
To: 
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:

www.smileybins.com.au/0u8ggf5f5
kpmanish.com/0u8ggf5f5
neoventtechnologies.com/0u8ggf5f5
itronsecurity.com/0u8ggf5f5
bnacoffees.com/0u8ggf5f5
ambikaonline.com/0u8ggf5f5
usacarsimportsac.com/0u8ggf5f5
giftsandbaskets.co.th/0u8ggf5f5

This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:

186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload here appears to be the Dridex banking trojan.

Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144

UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:

shagunproperty.com/987gby8nn8
aysanatorganizasyon.com/987gby8nn8

A trusted source tells me there are other download locations at:

cubasedersi.com/987gby8nn8
denizlikinaorganizasyon.com/987gby8nn8
factumtech.com/987gby8nn8
kurudomatesci.com/987gby8nn8
nuevomomento.com/987gby8nn8
seahawkexports.com/987gby8nn8
solucionhumana.mx/987gby8nn8
tipsforall.in/987gby8nn8

From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to:

176.9.113.216 (Hetzner, Germany)

Apparently there are C2 servers here:

186.250.48.10 (Redfox Telecomunicações Ltda, Brazil)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)

The payload still appears to be Dridex.

Recommended blocklist:
176.9.113.216
186.250.48.10
200.159.128.144

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive

In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)

Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251

Malware spam: "Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC"

This fake financial email comes with a malicious attachment:

From:    Tran
Reply-To:    Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@telecom.kz]
Date:    13 April 2016 at 16:24
Subject:    Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC

Good morning,

Please advise status on these

If shipped, please send invoice & tracking


---------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, including any attachments and/or linked documents, is intended for the sole use of the intended addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any unauthorized review, dissemination, distribution, or copying is prohibited. If you have received this communication in error, please contact the original sender immediately by reply email and destroy all copies of the original message and any attachments. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Xylem Inc.

I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56. According to this Malwr report it downloads a file from:

mgmt.speraelectric.info/flows/login.php

Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan.

Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:

From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,

Please find enclosed our new order P2016280375 for your kind attention and prompt execution.

I look forward to receiving your order acknowledgement in due course.

 

Best regards

Rose Lu

Office Manager

Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.

Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China

Tel: +86 512 6596 0151  Fax: +86 512 6252 1796

Cell: +86 186 2520 8037

Skype:rose.lu22

Email:luyi@eg-ev.com

Web: http://www.eagle-ev.com

        http://www.eg-ev.com

       http://szeagle.en.alibaba.com

        http://www.chinaelectricvehicle.com

        http://szeagle-golfcar.en.made-in-china.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..

Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe

So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:

105.112.39.114 (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.

Malware spam: "Proof of Delivery Report: 16/03/16-17/03/16" / UKMail Customer Services [list_reportservices@ukmail.com]

This spam does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    UKMail Customer Services [list_reportservices@ukmail.com]
Date:    18 March 2016 at 02:46
Subject:    Proof of Delivery Report: 16/03/16-17/03/16

Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD

...........................................................................................................................................................................................

Please consider the environment before printing this e-mail or any attachments.

This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries. UK Mail Group Plc is registered and incorporated in England.

Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom. Registered Company No.: 02800218.

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm which has a VirusTotal detection rate of 9/55. This Malwr report for the sample shows a file download from:

kervanburak.com/wp-content/plugins/hello123/r34t4g33.exe

There will be many other versions of the attachment with different download locations. This binary has a detection rate of 8/55 and this Malwr report and Hybrid Analysis  show network traffic to:

64.147.192.68 (Dataconstructs, US)

I recommend you block traffic to that IP. The payload appears to be the Dridex banking trojan.

UPDATE 1

This DeepViz report shows some additional IP addresses contacted:

64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)

UPDATE 2

Some additional download locations from a trusted source (thank you!):

almexports.com/wp-content/plugins/hello123/r34t4g33.exe
cky.org.uk/wp-content/plugins/hello123/r34t4g33.exe
felipemachado.com/wp-content/plugins/hello123/r34t4g33.exe
ioy.co.il/wp-content/plugins/hello123/r34t4g33.exe
muhidin.eu.pn/wp-content/plugins/hello123/r34t4g33.exe
tribebe.com/wp-content/plugins/hello123/r34t4g33.exe
voiceofveterans.in/wp-content/plugins/hello123/r34t4g33.exe


Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth

Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)

The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

Malware spam: "Interparcel Documents" / Interparcel [bounce@interparcel.com]

This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:

From:    Interparcel [bounce@interparcel.com]
Date:    17 March 2016 at 08:51
Subject:    Interparcel Documents

Your Interparcel collection has been booked and your documents are ready.

There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.

Thank you for booking with Interparcel.

Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:

gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe

The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:

195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)

As mentioned before, these characteristics look like the Dridex banking trojan.

Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78

Malware spam: "Final Notice About Unpaid Bill" / "Important Notice About Created Invoice" / "Important Message About New Invoice"

This fake financial spam comes with a malicious attachment.The sender's name, subject and body text has a variety of text in, including:

Subject:
Fwd: Final Notice About Unpaid Bill
Fw: Important Notice About Created Invoice
Re: Important Message About New Invoice

Body text:
Pls see the bill attached.
review the report attached.
check the invoice attached.

Some more examples can be seen here.

Attached is a randomly-named document, of which I have seen three samples (VirusTotal results [1] [2] [3]). The Malwr report on one of the samples plus these Hybrid Analysis reports [4] [5] [6] shows a download of an encrypted file from:

darrallmacqueen.com/b2.jpg?XhVee=9
darrallmacqueen.com/b2.jpg?XhVee=20
darrallmacqueen.com/b2.jpg?XhVee=16

The dropped files seem pretty random, indeed in all the samples the binaries were different with some generic detections [1] [2] [3] [4]. All of the samples crash in Malwr [5] [6] [7] [8].

It all seems a little odd and if I get more information on what is happening, I will update this post. In the meantime the only mitigating step I can think of is to block traffic to darrallmacqueen.com which should stop the files downloading.

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.

From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008

Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe

There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe

..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)

Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234

Malware spam: "Order 1307605 (Acknowledgement)" / rick.adrio@booles.co.uk

This fake financial spam has a malicious attachment:

From     rick.adrio@booles.co.uk
Date     Tue, 08 Mar 2016 15:58:07 +0530
Subject     Order 1307605 (Acknowledgement)

Please find document attached
CONFIDENTIALITY AND DISCLAIMER NOTICE:
This email contains proprietary information which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission error has misdirected
this email, please notify the author by replying to this email. If you are not the
intended recipient you must not use, disclose, distribute, copy, print, or rely on
this email and delete all copies. Boole's Tools and Pipe Fittings Ltd is a private
company limited by shares. Registered in the United Kingdom No. 683745. Registered
office: PO Box 1586, Gemini One, John Smith Drive, Oxford Business Park South, Oxford,
OX4 9JF, United Kingdom.

Attached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:

stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe

The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.

Malware spam: "FreePDF: 1922110025984.doc" / "Worrall, Antony" [Ant.Worrall@cmco.eu]

This fake financial spam has a malicious attachment.

From     "Worrall, Antony" [Ant.Worrall@cmco.eu]
Date     Thu, 03 Mar 2016 14:25:14 +0430
Subject     FreePDF: 1922110025984.doc

140 Years of Innovation. Lifting.
Positioning. Securing. Safely.

Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.