For example..
From: Ieuan JamesSome assembly is required with this malware, but if you decode the Base64 area you get one of two different Word documents with VirusTotal detection rates of just 1/56 [1] [2]. These malicious documents contain one of two macros [1] [2] [pastebin] that download an additional component from one of the following locations:
Date: 8 January 2015 at 07:25
Subject: invoice EME018.docx
--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
name="invoice EME018.doc";
x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
filename="invoice EME018.doc"
Content-Transfer-Encoding: base64
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB/AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaptVm1UAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAPk/AQD5PwEAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
[snipped for clarity]
http://ecovoyage.hi2.ro/js/bin.exe
http://mateusz321.cba.pl/js/bin.exe
This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55. The Malwr report for this shows that it connects to:
http://74.208.11.204/
http://129.215.249.52/qZXI6nYL8NLtqX6%3DZ/@mF6s4lFjMN4JSfB%2CVPutSGtX/6Ww_r5R%3FlP_ce2A
http://78.140.164.160/LL7yk@O6E/Qyiy/6yz%3Dzs18r/s4$rV
It also queries some other hosts, meaning that it looks like it attempts to connect home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
129.215.249.52 (Edinburgh University, UK)
78.140.164.160 (Webazilla, US)
37.1.208.21 (3NT Solutions LLP aka inferno.name, UK)
86.156.238.178 (BT, UK)
In addition, the Malwr report says that a malicious DLL is dropped with a detection rate of 2/56.
Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178
In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range.
For researchers, a copy of all the files is available here, password is infected.