Malware spam: "Operational Expense" leads to Locky

This fake financial spam leads to malware:

From:    Theodora Hamer
Date:    25 May 2016 at 12:17
Subject:    Operational Expense

Operational Expense of 7,350,80 USD has been credited from your account. For more details please refer to the report that can be found down below 

This analysis is based on a trusted source (thank you!). Attached is a ZIP file containing a malicious script, downloading from:

alborzcrane.com/g1slEn.exe
alborzcrane.com/Z94n5r.exe
alintagranito.com/fOA8Bl.exe
alintagranito.com/xB7nku.exe
amazoo.com.br/R0koId.exe
avayeparseh.com/s0faxS.exe
buzzimports.com.au/cRQVC4.exe
buzzimports.com.au/ECScwi.exe
galabel.com/lRkuJX.exe
galabel.com/oQz26K.exe
jett.com/6APaSk.exe
kitchen38.com/HYPETS.exe
kitchen38.com/V1ygc2.exe
onestopcableshop.com/J7t6au.exe
osdc.eu/gct5TH.exe
osdc.eu/n2UuEj.exe
purfectcar.com/9OaoqM.exe
purfectcar.com/sHXqZT.exe
wisebuy.com/WiOqzB.exe
yearnjewelry.com/OnvBrc.exe
yearnjewelry.com/t8HnK3.exe
zhaoyk.com/Dmv3As.exe
zhaoyk.com/JbO9uX.exe

This drops what is apparently Locky ransomware, with a detection rate of 3/56. This phones home to:

164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)

This Hybrid Analysis shows the Locky ransomware in action.

Recommended blocklist:
164.132.40.47
104.131.182.103

Evil network: OVH / kaminskiy@radiologist.net

Here's an Angler EK cluster, hosted on multiple ranges rented from OVH France.. working first from this list of Angler IPs in OVH address space we can see a common factor.

5.135.249.214
5.135.249.215
51.255.59.119
51.255.59.120
51.255.59.121
51.255.59.123
91.134.206.128
91.134.206.129
91.134.206.130
91.134.206.131
91.134.204.217
91.134.204.218
91.134.204.219
91.134.204.243
91.134.204.245
91.134.204.247

One handy thing that OVH does with suballocated ranges is give clear details about the customer. This certainly helps track down abusers. In this case, the ranges these IPs are in are allocated to:

organisation:   ORG-KM91-RIPE
org-name:       Kaminskiy Mark
org-type:       OTHER
address:        Bema 73
address:        01-244 Warszawa
address:        PL
e-mail:         kaminskiy@radiologist.net
abuse-mailbox:  kaminskiy@radiologist.net
phone:          +48.224269043
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-18T14:46:09Z
last-modified:  2016-05-18T14:46:09Z
source:         RIPE

That ORG-KM91-RIPE reference can be looked up on the RIPE database: giving more of these little /30 blocks:

5.135.249.212/30
51.255.59.116/30
51.255.59.120/30
51.255.59.124/30
91.134.206.128/30
91.134.204.212/30
91.134.204.216/30
91.134.204.220/30
91.134.204.240/30
91.134.204.244/30
91.134.204.248/30
91.134.204.252/30
164.132.223.192/30


OVH have been pretty good at cleaning up this sort of thing lately (unlike PlusServer) so hopefully they will get this under control.

If you want to find other Angler EK ranges then I have a bunch of 'em in my Pastebin.

Malware spam: "Please find attached the file we spoke about yesterday" leads to Locky

This spam appears to come from random senders, and leads to Locky ransomware:

From:    Graham Roman
Date:    23 May 2016 at 11:59
Subject:    Re:

Hi [redacted]

Please find attached the file we spoke about yesterday.

Thank you,
Graham Roman
PCM, Inc.

Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:

oakidea.com/by2eezw8
islandflavaja.com/0p1nz
dragqueenwig.com/itukabk

Automated analysis of the script [1] [2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:

188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia)

Those reports all demonstrate clearly that this is Locky ransomware, although the barely encrypted downloaded binaries are a new feature.

UPDATE

Trusted third-party analysis (thank you) shows some additional download locations:

4cornerbazaar.com/rcjmp
ap-shoes.com/r3mkkch
b2cfurniture.com.au/ztydt7
babyhalfoff.com/di286c
bekith.com/twe4puv
canalshopping.com.br/kf5d9
ereganto.com.br/4bxi09t
farmavips.com/hlnl21tf
fina-mente.com/kitrl2
hablatinamerica.com/mkhxrsm
jhplhomedecor.com/m637g
joyofgiving.com.au/1b6v94yu
la-mousson.de/pxwimc
lojaonline.eurobar.pt/kmdb4euf
maibey.com/bakcy9s
metallerie.com/uh0kd
mymy365.com/d7bd2
objetsdinterieur.com/0p1nz
peptide-manufacturer.com/jc6pxks
pro-lnz.com/9ed5v5v
promotionalsales.com.au/0iobfbwc
store.steelalborz.com/fw4i3ssf
stylelk.com/12opjwfh

The MD5s of decrypted downloaded files are:

0cef8d79dd32b5701768ffb3e80dd6c9
18e1591325994d60468e58b30bd47ec7
1e1b9729198cb392636ad4b8ec880284
1eacf23630db85c2af07d2657c1a0917
2742891aff1f20ee09a67d29c5b4157d
2f7373602c67761a1666c3170a0adfd9
4f4d754ffb9b33c5b2b7ec6c38dc6a30
517c1805c2b805a801a6132bfd9d7a69
64eef31dc4cd4dc1ca51b6686e4cdaa1
6fc220a8b95e2167c21d0e1f91a516cb
73552fcfff60a171965103d691679b43
8108de8bf200d4baa62541e9eeca2ee4
9125956e3ee99b9f59b595fcba9ac658
9da331f4353f5b0033c162eb308a8197
a01d60682ad5fadc9018908185e8cde3
aceec3d6334e925297efc8d4232473c2
afd40dca335530ec993d9cf91be96b4c
d69adb50c7f2436f5f7502f22b3a5714
dab81432d4d6241e47d7110b8d051f41
de6c020b8639fda713fbe2285dc6740c
eb3391cefb6634e587b58e0d6540c7c3
fb56f158f6f4c81f7bed2a7c4490fadb

One additional C2 server:

176.31.47.100 (Unihost, Seychelles / OVH , France)

Recommended blocklist:
188.166.168.250
31.41.44.45
92.63.87.53
176.31.47.100

Malware spam: "I have attached a revised spreadsheet.."

This spam has a malicious attachment:

From:    Britney Hart
Date:    16 May 2016 at 13:15
Subject:    Re:

hi [redacted]

I have attached a revised spreadsheet contains customers. Please check if it's correct

Regards,
Britney Hart

Other variations of the body text seen so far:

I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct

Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from

fundaciontehuelche.com.ar/897kjht4g34
thetestserver.net/fg45g4g
technobuz.com/876jh5g4g4

There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2] [3]) and automated analysis [5] [6] [7] [8] [9] shows the malware phoning home to:

188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)

The payload is Locky ransomware.

Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202

Malware spam: "As promised, the document you requested is attached" leads to Locky

This fairly brief spam has a malicious attachment:

From:    Alexandra Nunez
Date:    10 May 2016 at 21:10
Subject:    Re:

hi [redacted],

As promised, the document you requested is attached

Regards,

Alexandra Nunez

The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:


4hotdeals.com.au/j47sfe
stationerypoint.com.au/cnb3kjd
floranectar.com.au/er5tsd
togopp.com/vbg5gf
printjuce.com/rt5tdf
designitlikeal.com/cvb3ujd

There are probably many more download locations.

The typical detection rate for these binariesis about 12/56 [1] [2] [3] [4] [5] and automated analysis [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] shows network traffic to:

5.34.183.40 (ITL, Ukraine)
185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
185.14.28.51 (ITL, Netherlands)
92.222.71.26 (OVH, France)
88.214.236.11 (Overoptic Systems, UK / Russia)

The payload is Locky ransomware

Recommended blocklist:
5.34.183.40
185.82.202.170
185.14.28.51
92.222.71.26
88.214.236.11

Malware spam: "Second Reminder - Unpaid Invoice"

This fake financial spam leads to malware:

From:    Janis Faulkner [FaulknerJanis8359@ono.com]
Date:    29 April 2016 at 11:13
Subject:    Second Reminder - Unpaid Invoice

 We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail

Regards,

Janis Faulkner
Chief Executive Officer - Food Packaging Company 

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.

The scripts I have seen download slightly different binaries from the following locations:

cafeaparis.eu/f7yhsad
amatic.in/hdy3ss
zona-sezona.com.ua/hj1lsp
avcilarinpazari.com/u7udssd

VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2] [3] [4]. In addition to those reports, various automated analyses [5] [6] [7] [8] [9] show that this is Locky ransomware phoning home to:

91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)

I strongly recommend that you block traffic to:

91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60

Malware spam: "FW: Invoice" from multiple senders

This fake financial spam comes from randomly-generated senders, for example:

From:    Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br]
Date:    28 April 2016 at 11:40
Subject:    FW: Invoice

Please find attached invoice #342012

Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:

http://rabitaforex.com/pw3ksl
http://tribalsnedkeren.dk/n4jca
http://banketcentr.ru/v8usja
http://3dphoto-rotate.ru/h4ydjs
http://switchright.com/2yshda
http://cafe-vintage68.ru/asad2fl
http://minisupergame.ru/a9osfg

The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:

83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua.  Ukraine)

These two Hybrid Analysis reports [1] [2] show Locky more clearly.

Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19

Minimalist spam leads to Locky ransomware

There is currently a very minimalist spam run leading to Locky ransomware, for example:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    28 April 2016 at 11:21
Subject:    Scan436

The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:

file238.zip
file164.zip
file84.zip
Document4.zip
Doc457.zip
Scan1.zip
Doc5.zip
file394.zip
Scan436.zip

Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:

nailahafeez.goldendream.info/8778h4g
kfourytrading.com/8778h4g
kasliknursery.com/8778h4g
allied.link/8778h4g
xtrategiamx.com/8778h4g

The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:

51.254.240.60 (Relink LLC, Russia / OVH, France)
31.41.44.246 (Relink LLC, Russia)
83.217.26.168 (Firstbyte, Russia)

Recommended blocklist:
31.41.44.246
51.254.240.60
83.217.26.168

Malware spam: "Facture : 1985 corrigée" / "Louis - Buvasport [louis64@buvasport.com]"

This French-language spam leads to malware:

From:    Louis - Buvasport [louis64@buvasport.com]
Date:    19 April 2016 at 13:29
Subject:    Facture : 1985 corrigée

Cher Client,

Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.

Si vous avez des questions, n'hésitez pas à nous contacter.

Cordialement,

BUVA SPORTS 

Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:

pushdkim.com/267h67c5e
pay.360degreeinfo.com/267h67c5e

There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:

buhjolk.at/files/Yd6aGF.exe

At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.

The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.

To be on the safe side, it might be worth blocking:

93.79.82.215 (Telesweet, Ukraine)

Malware spam: "Facture client N° FC_462982347 du 30/03/2016" leads to Locky

This French-language spam is pretending to be a renewal for anti-virus software, however instead it has a malicious attachment:

From:    administrator [netadmin@victimdomain.tld]
Date:    30 March 2016 at 11:09
Subject:    Facture client N° FC_462982347 du 30/03/2016

Bonjour,

Veuillez trouver ci-joint la facture pour le renouvellement de votre antivirus.

Bonne réception

A.Morel

It pretends to come from within the victim's own domain, but this is a simple forgery. The reference number changes from email to email, attached is a ZIP file named consistently with the subject (e.g. FC_462982347.zip). This ZIP file contains a malicious script (typical detection rate 8/56) which then downloads Locky ransomware. According to these automated analyses [1] [2] [3] [4] [5] show the scripts downloading from the following locations (there are almost definitely more):

bezuhova.ru/45t3443r3
thespinneyuk.com/45t3443r3
tishaclothing.co.za/45t3443r3

This dropped binary has a detection rate of 7/56. According to these analyses [6] [7] [8] it phones home to the same servers detailed in this earlier blog post.

Malware spam: "Additional Information Needed #869420" leads to ransomware

This spam has a malicious attachment, leading to ransomware.

From:    Joe holdman [holdmanJoe08@seosomerset.co.uk]
Date:    30 March 2016 at 08:55
Subject:    RE: Additional Information Needed #869420


We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.

The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default.

An analysis of three scripts [1] [2] [3] shows binary downloads from:

cainabela.com/zFWvTM.exe
downloadroot.com/vU4VAZ.exe
folk.garnet-soft.com/jDFXfL.exe

This binary has a detection rate of 6/56.  Automated analysis [4] [5] shows network traffic to:

93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)

These characteristics are consistent with Locky ransomware.

Recommended blocklist:
93.170.131.108
5.135.76.18
82.146.37.200

Malware spam: "CCE29032016_00034" / "Sent from my iPhone"

The malware spammers have been busy again today. I haven't had time to look at this massive spam run yet, so I am relying on a trusted third party analysis (thank you!)

These spam emails look like the victim is sending them to themselves (but they aren't). Reference numbers vary a little between emails, but the basic pattern is:

From:    victim
To:    victim
Date:    29 March 2016 at 17:50
Subject:    CCE29032016_00034

Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:

3r.com.ua/ty43ff333.exe
canadattparts.com/ty43ff333.exe
chilloutplanet.com/ty43ff333.exe
gazoccaz.com/ty43ff333.exe
hindleys.com/ty43ff333.exe
jeweldiva.com/ty43ff333.exe
kandyprive.com/ty43ff333.exe
labonacarn.com/ty43ff333.exe
silvec.com/ty43ff333.exe
tbde.com.vn/ty43ff333.exe
zecapesca.com/ty43ff333.exe

This payload has a detection rate of 4/56. The malware calls back to:

84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)

McHost is almost purely a black-hat ISP in my opinion and should be blocked on sight.

Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24

Malware spam: "Envoi d’un message : 9758W-TERREDOC-RS62937-15000" / Christine Faure [c.faure@technicoflor.fr]

This French-language spam comes with a malicious attachment:

From:    Christine Faure [c.faure@technicoflor.fr]
Date:    28 March 2016 at 16:54
Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000

Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :

9758W-TERREDOC-RS62937-15000
Message de sécurité

To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8]). The Malwr reports for those samples [9] [10] [11] [12] [13] [14] [15] [16] show a malicious binary downloaded from:

store.brugomug.co.uk/765f46vb.exe
ggbongs.com/765f46vb.exe
dragonex.com/765f46vb.exe
homedesire.co.uk/765f46vb.exe
scorpena.com/765f46vb.exe
pockettypewriter.co.uk/765f46vb.exe
enduro.si/pdf/765f46vb.exe
185.130.7.22/files/qFBC5Y.exe

Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses [17] [18] [19] [20] the malware phones home to:

83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)

All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.

The other binary appears to be another version of Locky which appears to phone home to the same servers.

Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100

Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"

This fake FedEx spam has a malicious attachment:

From:    FeDex-service
Date:    8 March 2016 at 11:40
Subject:    Samson Floyd agent Fedex

Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.

Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent

Thank you for choosing our service

Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:

www.fotoleonia.it/files/sample.exe

This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:

www.claudiocalaprice.com/modules/fedex/pad.exe

This has similar detections to the first binary.  That Malwr report also indicates the binary POSTing data to:

pdf.repack.bike/new_and/state.php

This is hosted on:

151.80.76.200 (Kitdos, US / OVH, France)

I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.

None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.

Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"

This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.

From     MyBill [mybill.central@affinitywater.co.uk]
Date     Fri, 04 Mar 2016 14:50:57 +0530
Subject     Closing bill

Dear customer

Please find attached a copy of closing bill as requested.


Kind Regards

Natasha Hawkes
Customer Relations Advisor

affinitywater.co.uk

_________________________________________________________________________

This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk

_____________________________________________________________________________

Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3]  [4] download a binary from the following locations:

prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe

This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.

UPDATE 1

The comments in the VirusTotal scan give some more download locations:

2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe

Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:

188.165.215.180 (OVH, France)

I strongly recommend that you block traffic to that IP.

UPDATE2

Some additional download locations and C&C servers to block, from another source (thank you!)

jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe

Overall, some of these download locations look like good candidates for blocking, especially:

81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)

These additional C&C servers have been seen before:

78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)

Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57

Malware spam: "March Invoice" / "Balkan Dream Properties"

This fake financial spam can't make up its mind which month it is for.

From:    Caitlin Velez
Date:    1 March 2016 at 11:50
Subject:    March Invoice

Hi,

Attached is the November invoice.

Thanks!

Caitlin Velez
Customer Service
Balkan Dream Properties
090-157-5969

So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero.

This Malwr report shows that it is the Locky ransomware, download a binary from:

intuit.bitdefenderdistributor.info/intrabmw/get.php

This is hosted on a bad webserver at..

93.95.100.141 (Mediasoft ekspert, Russia)

..and it then phones home to..

5.34.183.195 (ITL / UA Servers, Ukraine)

There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..

31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)

Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment:

From:    admin [ands21@victimdomain.tld]
Date:    29 February 2016 at 19:05
Subject:    Scanned image

Image data in PDF format has been attached to this email.

The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1] [2] [3]. The Malwr reports for those [4] [5] [6] show download locations at:

www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution.in.th/system/logs/7ygvtyvb7niim.exe

This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:

51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)

Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to:

51.254.19.227
185.14.29.188

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.

From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.

Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php

Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)

Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70

Malware spam: "Message from local network scanner" / Scann16011310150.docf

This fake document scan comes with a malicious attachment.

From:    jpaoscanner@victimdomain.tld
Date:    14 January 2016 at 10:45
Subject:    Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.

Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.

Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.

UPDATE 1

Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

This has a detection rate of 3/55. That same analysis reports that it phones home to:

188.138.88.14 (PlusServer AG, France)

I strongly recommend that you block traffic to that IP.

UPDATE 2

These two Malwr reports [1] [2] reveal some additional download locations:

www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe