From Michelle Ludlow [Michelle.Ludlow@dssmith.com]So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:
Date Wed, 27 Jan 2016 17:27:22 +0800
Subject New Order
Hi
Please see attached for tomorrow.
Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services
Packaging Division
Dodwells Road, Hinckley LE10 3BX, United Kingdom
T +44 (0)1455 892939 F +44 (0)1455 892924
michelle.ludlow@dssmith.com
www.dssmith.com
This e-mail message is intended solely for the person to whom it is addressed and
may contain confidential or privileged information. If you have received it in error,
please notify us immediately and destroy this e-mail and any attachments. In addition,
you must not disclose, copy, distribute or take any action in reliance on this e-mail
or any attachments. Any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of the company. E-mail may be
susceptible to data corruption, interception, unauthorised amendment, viruses and
unforeseen delays, and we do not accept liability for any such data corruption, interception,
unauthorised amendment, viruses and delays or the consequences thereof. Accordingly,
this e-mail and any attachments are opened at your own risk. DS Smith Plc, registered
in England and Wales (company number 1377658), with its registered office at 350
Euston Road, London, NW1 3AX.
vinagps.net/54t4f4f/7u65j5hg.exe
trendcheckers.com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 5/53. Those two Malwr reports and the VirusTotal report show the malware phoning home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
I strongly recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity.