The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.
From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions
Dear,
Please find attached our new order and send P/I against 50% advance payemnt
best regards
kang
An examination of the underlying PDF file shows two URLs listed:
[donotclick]designaffair.com.my/js/jss/accesslogin.php
[donotclick]perm.ly/importers-buyers-exporters
In turn these redirect to:
[donotclick]megatrading.hol.es/order/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
[donotclick]tips-and-travel.com/~saulitoo/imgs/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:
[donotclick]guest.lifevericalls.xyz/outlandish_litigant_tuners_nudeness/03737928145651311
This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.
The "megatrading.hol.es" (hosted on 31.220.16.16 by Hostinger - VT report) landing page looks like a straightforward phish:
Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183