From: Gale BarlowThere is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:
Date: 13 February 2015 at 12:30
Subject: Remittance IN56583285
Dear Sir/Madam,
I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
Gale Barlow
Accounts Manager
4D PHARMA PLC
Boyd Huffman
Accounts Payable
GETECH GROUP
http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52 and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159