From: Wayne Moore [wayne44118@orionplastics.net]In this case the email was malformed and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56. Extracting the document revealed this malicious macro [pastebin] which downloads an additional component from:
Date: 8 April 2015 at 09:03
Subject: TWO UNPAID INVOICES
4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911 DATED 1/7/15 FOR $840.80
INVOICE # 030042 DATED 1/30/15 FOR $937.00
PLEASE ADVISE WHEN YOU SENT CHECK AND TO WHAT ADDRESS
I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
REGARDS-WAYNE
http://fzsv.de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54. Automated analysis tools [1] [2] [3] shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple a Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877