From: Debbie BarrettThe attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.
Date: 12 May 2015 at 11:14
Subject: ATTN: Outstanding Invoices - [4697E0] [April|May]
Dear anthony,
Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.
Kind regards
First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu
Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.
This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.
There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5
The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957
Recommended blocklist:
92.63.88.0/24
46.36.217.227