Thursday, 11 May 2017
Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate  .
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis   is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.
Putting the .docm file back into Hybrid Analysis and Malwr   shows the same sort of results, namely a download from:
Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.
A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".
That report also gives two other locations to look out for:
This currently gives a recommended blocklist of:
Tuesday, 2 May 2017
From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
Subject: DHL Shipment 458878382814 Delivered
You can track this order by clicking on the following link:
Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
All weights are estimated.
The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.
In this case the link goes to parkpaladium.com/DHL24/18218056431/ and downloads a file DHL-134843-May-02-2017-55038-8327373-1339347112.js which looks like this.
According to Malwr and Hybrid Analysis the script downloads a binary from micromatrices.com/qwh7zxijifxsnxg20mlwa/ (184.108.40.206 - UK2, UK) and then subsequently attempts communication with
220.127.116.11 (AT&T, US)
18.104.22.168 (XL Internet Services, Netherlands)
22.214.171.124 (1&1, Germany)
126.96.36.199 (Mediaforge, Germany)
188.8.131.52 (dogado GmbH, Germany)
184.108.40.206 (Host Europe, Germany)
220.127.116.11 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of 10/60.
Thursday, 27 April 2017
From: ScotiaBank [Secure.Mail@scotiabankmail.com]
Date: 27 April 2017 at 14:13
Subject: Secure email communication
Signed by: scotiabankmail.com
Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email.
Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [18.104.22.168 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.
Malwr Analysis of the downloaded file shows attempted communications to:
22.214.171.124 (Ringnett, Norway)
126.96.36.199 (Level 3, US)
188.8.131.52 (Ringnett, Norway)
scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 184.108.40.206 (City Network Hosting AB, Sweden)
From: Aretha Stickles [mailto:firstname.lastname@example.org]
Sent: 27 April 2017 12:31
Subject: Delivery attempt fail notice
Dеаr customеr [redacted]
Your pаrcel has been in the post office for a very long time.
You must to receive it it within five days.
Expeсted Delivery Dаte: April 21, 2017
Class: Packagе Servicеs
Sеrvicе: Delivery Confirmatiоn
Stаtus: eNote Sent
Tо downloаd thе shipping invоicе, visit the link:
If you do not take it within the specified time, we will have to return it to the sender.
Please print out an order for your pack and take it at the post office.
© Royal Mail Grоup Ltd. 2017. All rights rеsеrved
Despite the link appearing to be from "royalmail.com" it's actually a Google redirector..
This bounces to centregold.org [220.127.116.11 - Krek Ltd, Russia] then a load balancer at rns.tobeylabs.com/tracking/delivery/tracking.php?id=554 [18.104.22.168 - KingServers, Netherlands] then either http://booniff.com/delivery/Pack_9356667UK.zip [22.214.171.124 - Amino Communications, US] or https://purolator.topatlantanursinghomelawyer.com/tracking/parcel/Notification_37352742UK.zip [126.96.36.199 - KingServers, Netherlands].
Note that the name of the .ZIP is generated dynamically, so there is some variation in filenames.
Inside the ZIP files is a malicious script (e.g. Pack_9356667UK.js) which according to Hybrid Analysis then communicates with a website at 188.8.131.52 [the same KingServers /24 as before!] and it drops a file mstsc.exe with VirusTotal detection rate of 11/57.
Wednesday, 19 April 2017
From email@example.comThe invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).
Date Wed, 19 Apr 2017 17:19:51 +0500
Subject Copy of your 123-reg invoice ( 123-093702027 )
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
This PDF file appears to drop an Office document according to VirusTotal results.
Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):
184.108.40.206 (Affinity Internet, US)
220.127.116.11 (Alentus Corporation, US)
18.104.22.168 (Budapest University of Technology and Economics, Budapest)
22.214.171.124 (Strato AG, Germany)
126.96.36.199 (RamNode LLC, US)
The general prognosis seems to be that this is dropping the Dridex banking trojan.