From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Kind Regards
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk
http://www.freewebstuff.be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a