From: Companies House [WebFilling@companieshousemail.co.uk]
Date: 13 April 2017 at 11:10
Subject: Company Documents
Signed by: companieshousemail.co.uk
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
Please note: all forms must be answered or the form will be returned.
Service Desk tel +44 (0)303 8097 432 or email email@example.com.
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk but it looks like there may be more. Email is being send from servers in the 220.127.116.11/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:
Blocking email from the entire 18.104.22.168/24 range at least temporarily might be prudent.
The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".
Registrant:All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.
37 Maberley Road
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017
GoDaddy.com, LLP. [Tag = GODADDY]
Registered on: 13-Apr-2017
Expiry date: 13-Apr-2019
Last updated: 13-Apr-2017
Registered until expiry date.
Automated analysis of the binary   show potentially malicious traffic going to:
22.214.171.124 (Total Server Solutions, US)
126.96.36.199 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)
There are probably other destinations too. The payload appears to be Dyre / Dyreza.
188.8.131.52/24 (temporary email block only)