From: PGOMEZ@polyair.co.uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm..
This transmission may contain information that is privileged and strictly confidential. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.
If you received this transmission in error, please contact the sender and delete the material from any computer immediately. Thank you.
Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:
http://mercury.powerweave.com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.
Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195
MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e