From: Amazon.co.uk [auto-shipping@amazon.co.uk]The Word document contains a malicious macro [pastebin] but is currently undetected at VirusTotal (the Malwr report doesn't say much but is here).
Reply-To: "auto-shipping@amazon.co.uk" [auto-shipping@amazon.co.uk]
Date: 31 October 2014 09:12
Subject: Your Amazon.co.uk order has dispatched (#203-2083868-0173124)
Dear Customer,
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #203-2083868-0173124 (received October 30, 2014)
Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
accept returns of complete product, which is unused and in an "as new" con=
dition.
Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label. Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.
To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.
https://www.amazon.co.uk/gp/css/returns/homepage.html
For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.
As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20
Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.co.uk/help
If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon.co.uk
-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------
The macro then downloads http://ctmail.me/1.exe and executes it. This malicious binary has a a detection rate of 4/52, and according to the Malwr report it contacts the following URLs:
http://84.40.9.34/Xl37yRuH5LS6Nqk/~yNk%2C2IO.1Jw9/wm@OF0fR%2BPvics%2CR8H/br~%262O%2Cu3k%3FI~i7%2D
http://213.143.97.18/wPfG2lK%24F/ET0~4%3De$4UsZiwg@/fJ_6E%24
http://213.143.97.18/iXxTuXI@6s1/NzJ%2CbsSmuQsl/n3
http://213.143.97.18/Yug4oQ83$~J%249BH/y93%266@@L3%3DL%26b88UmM/%24%24
http://213.143.97.18/Pizz.%2D%2CksZ@1&T/bYNr%2B9%2CK%2D1i%2BCGqLi%2Bw
http://213.143.97.18/vh/esx5rBQsLNKRJ%7E+$%2C_5KQk%2BeQpaGr/&4b0ERginAuG/zx$.G6K%3F
http://213.143.97.18/sxvxyZOihv%2C=@3v/%2BSb@9E9blzBnL7k0~TGg.OGq51%2BE5/&wru.x/%24
84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54.
Recommended blocklist 1:
213.143.97.18
84.40.9.34
ctmail.me
UPDATE 1 - 2014-11-03
A very similar email is doing the rounds this morning with a different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54 and contains this malicious macro [pastebin]. This downloads a file from http://hilfecenter-harz.de/1.exe which also has zero detections at VirusTotal. According the the Malwr report this binary connects to the following URLs:
http://84.40.9.34/E8Zf43JY1/8/wXw4M%26H~J%7EQ5/./
http://37.139.23.200/NQwFPhXiqAw/i27%24Yz~M%2CS_/x$%2DKWssW9Yh/L3
http://37.139.23.200/jrsw4wgnsT4I2/p%3F%3FZ@BCiUhaO9FYoN~/JAkmQ+Z@1
http://37.139.23.200/unu0q1vzg3~tmww%3Fkp/ayf0u%24&l$%2Cqc%3F3@2+f.=hcf_c+vyqly%2Co.7/l%20nloj%7E%3F
http://37.139.23.200/RqCGVww2Sup3iH5rZ/h=abyF$sO%3DheysYSV/n5%3Fs/
It also downloads a malicious DLL which has a VirusTotal detection rate of 7/54 which identifies this as a version of Cridex.
Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter-harz.de
garfield67.de
UPDATE 2 - 2014-11-03
A second version of the attachment is also being circulated, this time with a slightly different macro [pastebin] which downloads the same binary as before from http://garfield67.de/1.exe. I have updated blocklist 2.
UPDATE 3 - 2014-11-06
The spam has been updated with a new date and there are now three new malicious Word documents [1] [2] [3] [Malwr report] which contains one of two macros [1] [2] that download a malware binary from one of the two following locations:
http://castours.com/js/bin.exe
http://www.irming.hr/js/bin.exe
This file is saved as %TEMP%\LNZMTDCWLZX.exe and has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to:
http://84.40.9.34/NjTrZuSH2&rb/@&RT/aATv%2BqGe%2C
It also drops a DLL which has a VirusTotal detection rate of 8/53 which is identified as Cridex.