From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300
Please find attached the following documents issued by City Electrical Factors:
Invoice - BLA/176035 - DUCHMAID
If you have any problems or questions about these documents then please do not hesitate to contact us.
Regards,
Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818
Dawn Sandel
Group Office
Nelson & Northwest Region
City Electrical Factors Limited
Tel: 01282 698 112 Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv
The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:
dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe
This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:
78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)
The payload is probably Dridex, but I was not able to get a copy of the DLL.
Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5
MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33