From: soo.sutton77@powercentre.com
Date: 28 October 2014 11:01
Subject: INVOICE 101760 from Power EC Ltd
Please find attached INVOICE number 224244 from Power EC Ltd
The invoice number varies, as does the name of the attachment but it will be similar to INVOICE101760.doc which has a VirusTotal detection rate of 5/53. This contains this malicious macro [pastebin] which attempts to download a file from http://Riccis.homepage.t-online.de/Testseite/js/bin.exe which is currently 404ing but I believe to be the same payload as this [virustotal]. The Malwr analysis for that file shows it communicating with the following URLs:
http://62.75.184.70/T.T0gVY%26&s/=oj%26JT/LmoN$TxJ/SR%2COCs@0%26
http://116.48.157.176/EZE31=/zUtYQwx7rN.1UZ%20~a=/xe_j%2DhYKg+l%20P
http://116.48.157.176/CYJ4/oh$MI$G%24%3D/p%2Bab8GlH03sF%3F$u
http://116.48.157.176/EWvGnaBBxO%240ikV=o0ERs/vZsGSv6BuW9AESTs9fsiSJC$so/V72C
http://116.48.157.176/vA8rtgvLo~p%20pspL%2C61%3F/1rq&%2BpubuB%7Ei.Sfci2Hxp8=A4xuF/b5m%3D%20HccnqS3/9
Recommended blocklist:
62.75.184.70
116.48.157.176
UPDATE 2014-11-12
Another version of this spam is doing the rounds, very similar in nature:
From: soo.sutton@powercentre.comI have only seen one version of this with a malicious attachment 14153.DOC which has a VirusTotal detection rate of 4/55, which contains this malicious macro [pastebin] which attempts to download a component from http://fruido.de/js/bin.exe to %TEMP%\XZLNXTMSJUX.exe but fortunately that download location is not working (however, there could well be other download locations).
Date: 12 November 2014 12:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd
UPDATE 2014-12-08
A further version of this spam run is under way, described here.