From: mpsmobile GmbH [info@mpsmobile.de]
Date: 17 February 2016 at 12:23
Subject: Rechnung 2016-11365
Sehr geehrte Damen und Herren,
anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.
Mit freundlichen Grüssen
mpsmobile Team
______________________________
_____
Dear Ladies and Gentlemen,
please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.
Best regards
mpsmobile GmbH
mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.deHandelsregister Amstgericht ULM HRB 727290Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008
In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.
According to this Malwr report the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:
feestineendoos.nl/system/logs/7623dh3f.exe?.7055475
This dropped file has a detection rate of 3/53. Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.
Machines infected with Locky will display a message similar to this:
Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.
UPDATE
Another version plopped into my inbox, VT 7/54 and according to this Malwr report, it downloads from:
nadeenk.sa/system/logs/7623dh3f.exe?.7055475
This variant POSTs to a server at:
46.4.239.76 (Myidealhost.com / Hetzner, Germany)
It is likely that the C2 server (identified in the previous report) is:
85.25.149.246 (PlusServer AG, Germany)
Recommended blocklist:
85.25.149.246
46.4.239.76