From: Kelley SmallThe sender's name is randomly generated, for example:
Date: 17 December 2015 at 08:39
Subject: 12/16 A Invoice
Hi,
Please find attached a recharge invoice for your broadband.
Many thanks,
Kelley Small
Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher
There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.
The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:
179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php
Sources tell me there is another download location of:
195.191.25.145/chicken/bacon.php
Those IPs are likely to be malicious and belong to:
179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)
They also GET from:
savepic.su/6786586.png
A file karp.exe is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.
MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4
Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145
savepic.su
UPDATE 12/1/16
The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.