From: Adobe Billing [billing@adobe.com]
Date: 20 October 2014 11:33
Subject: Adobe Invoice
Adobe(R) logo
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.
Attached is your copy of the invoice.
Thank you for your purchase.
Thank you,
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.
© 2014 Adobe Systems Incorporated. All rights reserved.
Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.
According to the Malwr report, this binary then reaches out to the following URLs:
http://62.75.182.94/66mAzAj8ko%2Ch$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26
http://208.89.214.177/xWmWEs0Br+3%26KH0/ES$B6JR%2C+j3K2./%20SB
http://208.89.214.177/6ly5iKYr&q$%2CIYA/9Y8STPqNxu/j2hfMb6S
http://208.89.214.177/O4tHj8hw9RA~P%3FkB69agw.ksFx_&ce@%2DV%24/%2BSUq%2DBP$%24zqFH.O%2BRg%20%20/T%2D
http://208.89.214.177/yr3=E~SS+/%2Df7Y.OZk3M/~Ww6A3~33YQ%24UT%3D
The IPs in question are 208.89.214.177 (Virpus, US) and 62.75.182.94 (Intergenia, Germany).
The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.
Recommended blocklist:
208.89.214.177
62.75.182.94
pro-pose-photography.co.uk