From: Federal Trade Commission [email@example.com]
Date: 17 April 2017 at 15:25
Subject: RE: RE: ftc refund
It seems we can claim a refund from the FTC.
Check this out and give me a call.
The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for firstname.lastname@example.org it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)
Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.
Automated analysis   shows network traffic to:
It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.
Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:
Perhaps more usefully, we can associate that registrant with the following IPs:
18.104.22.168 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
22.214.171.124 (PS Internet Company LLC, Kazakhstan)
126.96.36.199 (Sinarohost, Netherlands)
188.8.131.52 (HZ Hosting, Bulgaria)
184.108.40.206 (SmartApe, Russia)
220.127.116.11 (Sia Vps Hosting, Latvia)
18.104.22.168 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
22.214.171.124 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
126.96.36.199 (Prometey Ltd, Russia)
188.8.131.52 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
184.108.40.206 (Alibaba.com, China)
220.127.116.11 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
18.104.22.168 (Keyweb AG, Germany)
22.214.171.124 (Overoptic Systems, Russia)
126.96.36.199 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
188.8.131.52 (NTCOM, Russia)
This gives us a pretty useful minimum blocklist: