TM Group "A new invoice AB1234567C has been created for You" spam

This fake invoice is meant to come from a company called TM Group (but it doesn't). It comes with a malicious Word document attached.

From:     Taylor Slater
Date:     3 November 2014 09:32
Subject:     A new invoice FM0509816M has been created for You

Dear Client,

A new invoice, FM0509816M  has been created. Please find it attached.

Kind regards, Taylor Slater
TM Group
Helpdesk Billing

--------------------

From:     Winfred Chapman
Date:     3 November 2014 10:34
Subject:     A new invoice MP4729736L has been created for You

Dear Client,

A new invoice, MP4729736L  has been created. Please find it attached.

Kind regards, Winfred Chapman
TM Group
Helpdesk Billing

--------------------

From:     Lionel Lowery
Date:     3 November 2014 11:05
Subject:     A new invoice LB7236759Y has been created for You

Dear Client,

A new invoice, LB7236759Y  has been created. Please find it attached.

Kind regards, Lionel Lowery
TM Group
Helpdesk Billing

--------------------

From:     Trey Leonard
Date:     3 November 2014 11:05
Subject:     A new invoice LM839596Q has been created for You

Dear Client,

A new invoice, LM839596Q  has been created. Please find it attached.

Kind regards, Trey Leonard
TM Group
Helpdesk Billing

------------------

From:     Helga Wilkinson
Date:     3 November 2014 12:16
Subject:     A new invoice NT9263036Z has been created for You

Dear Client,

A new invoice, NT9263036Z  has been created. Please find it attached.

Kind regards, Helga Wilkinson
TM Group
Helpdesk Billing

------------------

From:     Carol Day
Date:     3 November 2014 11:44
Subject:     A new invoice DQ8914435K has been created for You

Dear Client,

A new invoice, DQ8914435K  has been created. Please find it attached.

Kind regards, Carol Day
TM Group
Helpdesk Billing

------------------

From:     Corey Graham
Date:     3 November 2014 11:42
Subject:     A new invoice TQ022815G has been created for You

Dear Client,

A new invoice, TQ022815G  has been created. Please find it attached.

Kind regards, Corey Graham
TM Group
Helpdesk Billing

------------------

From:     Josefina Deleon
Date:     3 November 2014 11:34
Subject:     A new invoice KZ561472B has been created for You

Dear Client,

A new invoice, KZ561472B  has been created. Please find it attached.

Kind regards, Josefina Deleon
TM Group
Helpdesk Billing

Attached is a Word document with the same filename as the supposed invoice number. So far I have seen three variations:

• Sample 1 VirusTotal 0/54, Malwr Report, macro [pastebin]
• Sample 2 VirusTotal 0/54, Malwr Report, macro [pastebin]
• Sample 3: VirusTotal 0/54, Malwr Report, macro [pastebin]

The macros download a further malicious file from one of the following locations:


http://149.62.168.210:8080/doc/8.exe
http://111.125.170.132:8080/doc/8.exe
http://121.78.88.208:8080/doc/8.exe

This binary has a detection rate of just 2/54. The Malwr report shows this binary reaches out to the following locations:

http://91.222.139.45/4gA6Cw%2CuZ%265%2B7/TvPKRfz@/tpm=MCPSixTbfs6%2B
http://213.140.115.29/gfffgwtmjg6_w+8j+$%26icb%3D_f2=%2Dj66/@c3qrn=b%7E%2C+1tg026.i%24w./x%2Dlq5e%2D
http://213.140.115.29/uziFUA/wE0ArLF~2K%2DuQjXh3ak/7IvEHrPuf
http://213.140.115.29/hIR%3D7nkeM%2CgV/%2C@fN0iWI/+arv9NF%24F

The malware also drops a malicious DLL with a VirusTotal detection rate of 9/54 which is identified as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208