From: District Court
Date: 22 October 2015 at 19:03
Subject: Notice to Appear
Notice to Appear,
This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Michael Newell,
District Clerk.
Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:
www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com
The Hybrid Analysis report shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:
91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)
A large number of IPs are queried according to that report:
66.147.244.241 | 80 | TCP | United States
ASN: 46606 (Unified Layer) Possibly Malicious (Details) |
5 times |
78.24.220.229 | 80 | TCP | Russian Federation
ASN: 29182 (ISPsystem, cjsc) |
35 times |
74.231.32.162 | 80 | TCP | United States | 1 times |
118.120.73.233 | 80 | TCP | China | 1 times |
29.225.112.86 | 80 | TCP | United States | 1 times |
100.73.14.38 | 80 | TCP | Reserved | 1 times |
58.101.131.47 | 80 | TCP | China | 1 times |
123.59.97.196 | 80 | TCP | China | 1 times |
166.32.216.239 | 80 | TCP | United States | 1 times |
149.91.92.120 | 80 | TCP | United States | 1 times |
24.216.168.199 | 80 | TCP | United States | 1 times |
105.140.148.131 | 80 | TCP | Morocco | 1 times |
163.58.44.144 | 80 | TCP | Japan | 1 times |
142.84.237.228 | 80 | TCP | Canada | 1 times |
15.108.255.248 | 80 | TCP | United States | 1 times |
220.168.3.242 | 80 | TCP | China | 1 times |
169.69.97.65 | 80 | TCP | United States | 1 times |
136.48.1.199 | 80 | TCP | United States | 1 times |
193.224.232.11 | 80 | TCP | Hungary | 1 times |
46.156.117.74 | 80 | TCP | Norway | 1 times |
15.73.25.4 | 8080 | TCP | United States | 1 times |
156.95.94.161 | 80 | TCP | United States | 1 times |
2.95.43.213 | 80 | TCP | Russian Federation | 1 times |
201.112.96.9 | 443 | TCP | Mexico | 1 times |
168.202.241.83 | 80 | TCP | Italy | 1 times |
126.200.226.38 | 80 | TCP | Japan | 1 times |
218.169.88.145 | 80 | TCP | Taiwan; Republic of China (ROC) | 1 times |
25.227.76.74 | 80 | TCP | United Kingdom | 1 times |
7.58.91.181 | 80 | TCP | United States | 1 times |
2.9.47.33 | 80 | TCP | France | 1 times |
82.64.212.187 | 80 | TCP | France | 1 times |
160.252.229.129 | 80 | TCP | Japan | 1 times |
3.19.211.174 | 80 | TCP | United States | 1 times |
206.36.90.112 | 80 | TCP | United States | 1 times |
70.162.95.85 | 80 | TCP | United States | 1 times |
179.74.44.184 | 80 | TCP | Brazil | 1 times |
27.60.28.101 | 80 | TCP | India | 1 times |
72.131.92.208 | 80 | TCP | United States | 1 times |
192.15.148.68 | 80 | TCP | United States | 1 times |
161.183.113.148 | 80 | TCP | United States | 1 times |
89.194.8.74 | 80 | TCP | United Kingdom | 1 times |
74.60.141.199 | 443 | TCP | United States | 1 times |
185.124.201.36 | 80 | TCP | Germany | 1 times |
57.254.22.27 | 80 | TCP | Belgium | 1 times |
223.212.109.175 | 443 | TCP | China | 1 times |
184.128.6.160 | 80 | TCP | United States | 1 times |
222.26.8.100 | 80 | TCP | China | 1 times |
201.80.124.250 | 80 | TCP | Brazil | 1 times |
28.245.107.140 | 8080 | TCP | United States | 1 times |
7.205.88.91 | 80 | TCP | United States | 1 times |
134.208.174.118 | 443 | TCP | Taiwan; Republic of China (ROC) | 1 times |
101.42.94.123 | 80 | TCP | China | 1 times |
89.184.155.55 | 8080 | TCP | Denmark | 1 times |
73.136.226.227 | 80 | TCP | United States | 1 times |
92.242.113.252 | 80 | TCP | Ukraine | 1 times |
183.80.180.237 | 80 | TCP | Viet Nam | 1 times |
189.217.246.252 | 80 | TCP | Mexico | 1 times |
162.124.240.218 | 80 | TCP | United States | 1 times |
169.244.37.32 | 80 | TCP | United States | 1 times |
121.213.170.136 | 8080 | TCP | Australia | 1 times |
91.121.108.77 | 80 | TCP | France | 1 times |
161.187.226.73 | 8080 | TCP | Canada | 1 times |
160.124.108.194 | 8080 | TCP | South Africa | 1 times |
132.201.159.171 | 80 | TCP | United States | 1 times |
36.136.60.81 | 80 | TCP | China | 1 times |
155.159.37.116 | 80 | TCP | South Africa | 1 times |
139.171.227.16 | 80 | TCP | United States | 1 times |
119.243.117.9 | 443 | TCP | Japan | 1 times |
42.199.100.99 | 80 | TCP | China | 1 times |
170.225.41.44 | 80 | TCP | United States | 1 times |
27.122.177.126 | 80 | TCP | Korea Republic of | 1 times |
151.75.83.209 | 80 | TCP | Italy | 1 times |
203.207.191.222 | 8080 | TCP | China | 1 times |
208.97.41.75 | 80 | TCP | United States | 1 times |
179.184.50.147 | 80 | TCP | Brazil | 1 times |
126.155.24.64 | 80 | TCP | Japan | 1 times |
86.14.23.181 | 80 | TCP | United Kingdom | 1 times |
182.162.87.90 | 80 | TCP | Korea Republic of | 1 times |
126.85.62.33 | 80 | TCP | Japan | 1 times |
96.60.99.19 | 80 | TCP | United States | 1 times |
118.123.163.35 | 80 | TCP | China | 1 times |
69.190.137.38 | 80 | TCP | United States | 1 times |
49.56.139.124 | 80 | TCP | Korea Republic of | 1 times |
135.35.59.201 | 80 | TCP | United States | 1 times |
57.25.34.69 | 80 | TCP | Belgium | 1 times |
174.190.210.89 | 80 | TCP | United States | 1 times |
206.91.83.240 | 80 | TCP | United States | 1 times |
16.143.86.194 | 80 | TCP | United States | 1 times |
99.212.19.159 | 80 | TCP | Canada | 1 times |
171.214.61.169 | 80 | TCP | China | 1 times |
194.184.155.135 | 80 | TCP | Italy | 1 times |
98.30.91.219 | 80 | TCP | United States | 1 times |
30.130.130.227 | 80 | TCP | United States | 1 times |
201.231.21.9 | 80 | TCP | Argentina | 1 times |
10.85.253.242 | 8080 | TCP | Reserved | 1 times |
41.70.25.98 | 80 | TCP | Malawi | 1 times |
2.239.93.99 | 80 | TCP | Italy | 1 times |
178.216.173.66 | 80 | TCP | Ukraine | 1 times |
102.239.48.12 | 80 | TCP | Indonesia | 1 times |
170.229.125.27 | 443 | TCP | United States | 1 times |
170.202.85.86 | 80 | TCP | United States | 1 times |
138.204.51.115 | 80 | TCP | Brazil | 1 times |
90.59.134.25 | 80 | TCP | France | 1 times |
179.105.47.26 | 80 | TCP | Brazil | 1 times |
190.128.247.9 | 80 | TCP | Paraguay | 1 times |
62.74.109.148 | 80 | TCP | Greece | 1 times |
39.6.23.63 | 80 | TCP | Korea Republic of | 1 times |
199.12.247.12 | 80 | TCP | United States | 1 times |
1.235.148.23 | 80 | TCP | Korea Republic of | 1 times |
128.166.232.112 | 80 | TCP | United States | 1 times |
198.12.245.130 | 80 | TCP | United States | 1 times |
180.59.204.28 | 80 | TCP | Japan | 1 times |
191.205.91.94 | 443 | TCP | Brazil | 1 times |
166.97.6.127 | 80 | TCP | United States | 1 times |
35.174.179.31 | 80 | TCP | United States | 1 times |
202.94.163.179 | 80 | TCP | Malaysia | 1 times |
199.2.172.193 | 80 | TCP | United States | 1 times |
36.4.249.54 | 80 | TCP | China | 1 times |
87.60.146.60 | 80 | TCP | Denmark | 1 times |
159.157.156.108 | 80 | TCP | United States | 1 times |
41.103.3.7 | 80 | TCP | Algeria | 1 times |
190.5.47.228 | 80 | TCP | Chile | 1 times |
102.197.139.86 | 8080 | TCP | Indonesia | 1 times |
79.181.62.136 | 80 | TCP | Israel | 1 times |
196.221.146.64 | 8080 | TCP | Egypt | 1 times |
45.215.43.254 | 80 | TCP | Zambia | 1 times |
133.50.67.191 | 443 | TCP | Japan | 1 times |
197.187.96.58 | 80 | TCP | Tanzania United Republic of | 1 times |
81.11.14.8 | 80 | TCP | European Union | 1 times |
165.216.148.197 | 80 | TCP | United States | 1 times |
26.159.93.175 | 80 | TCP | United States | 1 times |
55.192.224.240 | 80 | TCP | United States | 1 times |
99.183.118.77 | 8080 | TCP | United States | 1 times |
97.132.112.64 | 80 | TCP | United States | 1 times |
161.158.216.248 | 80 | TCP | Netherlands | 1 times |
171.36.6.24 | 80 | TCP | China | 1 times |
86.17.207.59 | 80 | TCP | United Kingdom | 1 times |
65.170.164.185 | 80 | TCP | United States | 1 times |
203.116.171.38 | 80 | TCP | Singapore | 1 times |
81.131.210.206 | 80 | TCP | United Kingdom | 1 times |
144.69.59.80 | 80 | TCP | United States | 1 times |
108.132.28.175 | 80 | TCP | United States | 1 times |
54.173.72.227 | 80 | TCP | United States | 1 times |
48.227.99.193 | 80 | TCP | United States | 1 times |
165.244.29.101 | 80 | TCP | Korea Republic of | 1 times |
61.163.159.70 | 80 | TCP | China | 1 times |
141.54.70.120 | 80 | TCP | Germany | 1 times |
22.6.129.165 | 80 | TCP | United States | 1 times |
16.65.24.201 | 80 | TCP | United States | 1 times |
107.66.193.112 | 80 | TCP | United States | 1 times |
113.185.128.185 | 80 | TCP | Viet Nam | 1 times |
185.242.98.255 | 80 | TCP | Germany | 1 times |
39.247.94.231 | 80 | TCP | Indonesia | 1 times |
1.136.195.240 | 80 | TCP | Australia | 1 times |
176.2.178.107 | 443 | TCP | Germany | 1 times |
211.57.175.126 | 80 | TCP | Korea Republic of | 1 times |
16.78.184.90 | 80 | TCP | United States | 1 times |
121.237.58.132 | 80 | TCP | China | 1 times |
45.115.246.94 | 80 | TCP | China | 1 times |
42.213.207.250 | 80 | TCP | China | 1 times |
202.217.115.34 | 80 | TCP | Japan | 1 times |
20.100.36.35 | 80 | TCP | United States | 1 times |
73.178.96.229 | 80 | TCP | United States | 1 times |
177.85.76.19 | 80 | TCP | Brazil | 1 times |
184.148.22.247 | 80 | TCP | Canada | 1 times |
153.228.8.191 | 80 | TCP | Japan | 1 times |
196.226.207.67 | 443 | TCP | Liberia | 1 times |
171.178.119.233 | 80 | TCP | United States | 1 times |
175.198.60.5 | 80 | TCP | Korea Republic of | 1 times |
196.9.179.56 | 80 | TCP | South Africa | 1 times |
20.163.126.33 | 443 | TCP | United States | 1 times |
152.223.8.195 | 80 | TCP | United States | 1 times |
12.51.242.168 | 80 | TCP | United States | 1 times |
197.169.155.191 | 80 | TCP | South Africa | 1 times |
95.198.239.136 | 8080 | TCP | Sweden | 1 times |
209.93.5.164 | 80 | TCP | United States | 1 times |
200.17.48.177 | 80 | TCP | Brazil | 1 times |
37.147.149.212 | 80 | TCP | Russian Federation | 1 times |
113.201.208.234 | 80 | TCP | China | 1 times |
157.219.20.253 | 80 | TCP | United States | 1 times |
45.72.49.98 | 80 | TCP | United States | 1 times |
87.196.69.215 | 80 | TCP | Portugal | 1 times |
141.251.31.43 | 80 | TCP | United States | 1 times |
30.28.29.139 | 8080 | TCP | United States | 1 times |
211.72.127.114 | 80 | TCP | Taiwan; Republic of China (ROC) | 1 times |
126.62.177.152 | 8080 | TCP | Japan | 1 times |
67.62.93.143 | 80 | TCP | United States | 1 times |
4.219.11.148 | 80 | TCP | United States | 1 times |
220.15.135.111 | 80 | TCP | Japan | 1 times |
6.193.44.176 | 80 | TCP | United States | 1 times |
88.18.235.212 | 80 | TCP | Spain | 1 times |
65.235.102.3 | 80 | TCP | United States | 1 times |
212.246.252.248 | 80 | TCP | Finland | 1 times |
65.44.223.34 | 80 | TCP | United States | 1 times |
67.147.184.3 | 443 | TCP | United States | 1 times |
218.100.198.67 | 8080 | TCP | China | 1 times |
183.74.253.72 | 443 | TCP | Japan | 1 times |
189.99.113.170 | 443 | TCP | Brazil | 1 times |
202.113.235.65 | 80 | TCP | China | 1 times |
78.193.245.197 | 80 | TCP | France | 1 times |
20.87.185.21 | 443 | TCP | United States | 1 times |
34.94.156.167 | 80 | TCP | United States | 1 times |
16.154.131.128 | 443 | TCP | United States | 1 times |
112.236.139.20 | 80 | TCP | China | 1 times |
37.217.232.246 | 80 | TCP | Saudi Arabia | 1 times |
I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:
91.121.108.77
78.24.220.229
UPDATE 26/10/15:
A slightly revised version of this is circulating:
Notice to Appear,The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:
This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.
You can review complete details of the Court Notice in the attachment.
Yours faithfully,
Nathan Andrews,
District Clerk.
67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)
The following files are dropped (VT reports) [1] [2] [3]
Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66
ssf