From: sac.contact4e74974737@bol.com.br
To: mariomarinho@uol.com.br
Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol.com.br
Olá.
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
https://cfb53a79c1679ed75e40a391fa21b9b359784781.googledrive.com/host/[redacted]
Caso tenha alguns dos dados errados favor nos retorne no email nfe@jmcomercio.com.br.
ATT, DANI AIRES DP.FINANCEIRO
18/06/15 :
04:46:18.161 :
''8636055042''WTg9R9cng3hYUD''RYkSkcFpJs''
Por favor, não "responda" esta mensagem.
The reference numbers and sender change slightly in each version.
I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.
The Malwr report indicates that it downloads components from the following locations:
http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib
The Hybrid Analysis report also has some other details.
These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.
Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.
Recommended blocklist:
108.167.188.249
187.17.111.104
MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e