From: aalabels [customercare97125@aalabels.com]
Date: 2 February 2016 at 07:06
Subject: Order Dispatch: AA207241
Order Dispatch Confirmation
Dear Customer,
This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.
Your order has been dispatched via DPD and your order tracking number is 1160173211.
A VAT invoice for your order has been attached in pdf format for your reference.
Code Product Name Qty QS QB No of Packs
AAS021WTP Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm 1000 1000 0 10
QS: Quantity Shipped
QB: Quantity Backed
If you need to contact us about this order then please call our customer care team on 01733 588 390 or email customercare@aalabels.com
Thank you for your order.
Kind regards,
AA Labels
www.aalabels.com
23 Wainman Road
Woodston
Peterborough
PE2 7BU
United Kingdom
Phone: 01733 588390
Fax: 01733 425106
The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:
timestyle.com.au/5h4g/0oi545gfgf.exe
hebenstreit.us.com/5h4g/0oi545gfgf.exe
fillingsystem.com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects.