This fake document scan does not come from
New Hope Specialist Care but is instead a simple forgery with a malicious attachment:
From "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date Tue, 24 Nov 2015 07:11:00 -0300
Subject Scan as requested
Regards
Paulette Riley
Administrator
New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE
tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104
* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *
This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com
Attached is a file
20151009144829748.doc of which I have seen two versions (VirusTotal results
[1] [2]) and which contain a macro
like this [pastebin].
Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.
Frustratingly, it looks like the web host has suspended
newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.
UPDATE
These two Hybrid Analysis reports
[1] [2] show a download from the following locations:
www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe
This has a VirusTotal detection rate of
4/55. That VT analysis and this
Malwr analysis and these two Hybrid Analysis reports
[1] [2] show network traffic to:
157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)
MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac
Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153