Subject: Your Sage subscription invoice is ready
From: "noreply@sagetop.com" [noreply@sagetop.com]
Date: Thu, August 24, 2017 8:49 pm
Dear Customer
Your Sage subscription invoice is now ready to view.
Sage subscriptions
To view your Sage subscription invoice click here
Got a question about your invoice?
Call us on 0845 111 6604
If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787
Kind Regards
The Sage UK Subscription Team
Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.
The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar
The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:
go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45