From "GOMEZ SANCHEZ"[postmail@bellair.net]The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of these three malicious macros [1] [2] [3] .
To
Date Tue, 20 Oct 2015 13:14:56 +0430
Subject victim@victimdomain.tld
Congratulations
Print out the attachment file fill it and return it back by fax or email
Yours Sincerely
GOMEZ SANCHEZ
Analysis of the payload is pending, but is likely to be the Dridex banking trojan. Please check back later.
MD5s:
24d9cd4caca15882dc4f142b46a16622
9a10c47dcdd28017afeec5aca2c71191
d63f6150b45227c20901ee887062d8de
UPDATE:
Sources say that the payload is Shifu, not Dridex. So far, three download location have been identified..
ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you block traffic to that IP.