Malware spam: "Statement as at 30/06/2015" / "Manchester Accounts [manchester.accounts@hobsrepro.com]" / "blogdynamoocom.exe"

This fake financial spam does not come from Hobs Reprographics plc but instead is a simple forgery with a malicious attachment. The malware also rather cheekily includes a reference to this blog. Привет, ребята!

From:    Manchester Accounts [manchester.accounts@hobsrepro.com]
Date:    6 July 2015 at 07:10
Subject:    Statement as at 30/06/2015

Please find attached statement from HOBS REPROGRAPHICS PLC as at
30/06/2015.

Please note that our payment terms are 30 days.

So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54] which contains this malicious macro [pastebin] which downloads a malicious executable from:

ozelduzensurucukursu.com/253/632.exe

Well, it would do, but in the sample I have there's a syntax error in the URL..

There are usually several versions of the document, probably some of the others work OK. The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50. Automated analysis tools [1] [2] [3] indicates that the malware phones home to:

62.210.214.106 (OVH, France)
93.89.224.97 (Isimtescil, Cyprus)
87.236.215.151 (OneGbits, Lithuania)

The payload to this is almost definitely the Dridex banking trojan.

Recommended blocklist:
62.210.214.106
93.89.224.97
87.236.215.151

MD5:
9daf4c0bca8fbba53517fdab1ef4e16d
1a468423fc391c90a6e4d6c0dbbc085f