This fake financial spam does not come from
J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From "A . Baird" [ABaird@jtcp.co.uk]
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller
[cid:image001.png@01CEE6A0.2D48E1B0]
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday
[1] [2] [3]. The payload is meant to be the Dridex banking trojan.
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
UPDATE
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of
3/54. The same source identifies the following C2 servers whcih are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173