Malware spam: "Re: New Order P2016280375" / Rose Lu [salesdeinnovative@technologist.com]

This fake financial spam comes with a malicious attachment:

From:    Rose Lu [salesdeinnovative@technologist.com]
Date:    29 March 2016 at 02:30
Subject:    Re: New Order P2016280375

Good Day,

Please find enclosed our new order P2016280375 for your kind attention and prompt execution.

I look forward to receiving your order acknowledgement in due course.

 

Best regards

Rose Lu

Office Manager

Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.

Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China

Tel: +86 512 6596 0151  Fax: +86 512 6252 1796

Cell: +86 186 2520 8037

Skype:rose.lu22

Email:luyi@eg-ev.com

Web: http://www.eagle-ev.com

        http://www.eg-ev.com

       http://szeagle.en.alibaba.com

        http://www.chinaelectricvehicle.com

        http://szeagle-golfcar.en.made-in-china.com

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58. The Malwr report is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..

Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe

So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn.no-ip.biz hosted on:

105.112.39.114 (Airtel, Nigeria)

I strongly recommend that you block traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before) so you might want to consider blocking those too.