From Harminder Saund [MinSaund77@secureone.co.uk]
Date Tue, 20 Oct 2015 16:08:53 +0700
Subject Purchase Order No: 48847
Attached is a copy of our Purchase Order number 48847
==============
Harminder Saund
Secure One
==============
The sender's email address varies slightly, for example:
MinSaund77@secureone.co.uk
MinSaund92@secureone.co.uk
MinSaund94@secureone.co.uk
MinSaund013@secureone.co.uk
Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro [1] [2]. There are probably different versions of the document with different macros.
Automated analysis is pending, however the payload is most likely the Dridex banking trojan. Please check back for updates.
MD5s:
c6cd52b59fc772edde4df5d4058524fe
001415839b511361bc429c379892065d
UPDATE:
So far, three download location have been identified..
ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you block traffic to that IP.
The payload has been reported to be Shifu, not Dridex.