Sponsored by..

Wednesday 17 February 2016

Malware spam: "Rechnung 2016-11365" / mpsmobile GmbH [info@mpsmobile.de]

This bilingual spam does not come from mpsmobile but is instead a simple forgery with a malicious attachment.

From:    mpsmobile GmbH [info@mpsmobile.de]
Date:    17 February 2016 at 12:23
Subject:    Rechnung 2016-11365

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team


Dear Ladies and Gentlemen,

please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH
mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de
Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.

According to this Malwr report  the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:


This dropped file has a detection rate of 3/53.  Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.

Machines infected with Locky will display a message similar to this:

Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.


Another version plopped into my inbox, VT 7/54  and according to this Malwr report, it downloads from:


This variant POSTs to a server at: (Myidealhost.com  / Hetzner, Germany)

It is likely that the C2 server (identified in the previous report) is: (PlusServer AG, Germany)

Recommended blocklist:

1 comment:

PC.Tech said...

Related: https://www.virustotal.com/en/ip-address/
>> https://www.virustotal.com/en/file/02b00f7615e1fd9091d947dad00dfe60528d9015b694374df2b5525ea6dd1301/analysis/ https://www.virustotal.com/en/ip-address/
>> https://www.virustotal.com/en/url/8a4a7287784f37507098cc064b805570e127b71056d1a6fefce92bd6a924d20c/analysis/