From: Brandi Riley [BrandiRiley21849@horrod.com]
Date: 15 February 2016 at 12:20
Subject: Overdue Invoice 089737 - COMS PLC
Dear Customer,
The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Brandi Riley
COMS PLC
Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:
node1.beckerdrapkin.com/fiscal/auditreport.php
This is hosted on an IP that you can assume to be malicious:
193.32.68.40 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54) then phones home to:
194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229