More of these today, similar to yesterday, to multiple addresses – quite often ones stolen or leaked from LogMeIn and one to an address I had used with a car hire company in the UK.
- Important information
- Need your attention,”Important notice
- Financial information
Please find attached a remittance advice, relating to a payment made to you.
Seniour Finance Assistant
We have received a payment from you for the sum of £ 720. Please would you provide me with a remittance, in order for me to reconcile the statement.
I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1835 less the £3254.00 received making a total outstanding of £ 1115. We would very much appreciate settlement of this.
As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.
If you need any copy invoices please do not hesitate to contact us
Please see attached the copy of the remittance.
Please can you send a revised statement so we can settle any outstanding balances.
All contained a word attachment of various formats.
- SHA256: 7e0c0d0ca6cdd60f690d067de166273af1c8613f4dffb42ef7abfbb47d73e826
- SHA256: 5781146c750bc5afbe88b20a0e63d40bf996f42d77b9fff9466781b2f461b9c6
- SHA256: a237937606842aa6efbb6934e219542408f474d51c732ba69f3313d79ced456e
- SHA256: c79f184ec0fa49b866e02d06589f343fae9cf4b451a06e68a3c3b0ea2e708fa6
- SHA256: 0bd881c2fb43ce058c027b4654c1b92afd29468bcf6f17a70288fed2dab9dc97
- SHA256: eb3f6a5bccfb2e39b9a0d5a1a2b496cc0b56426e35a63eb00f37fdf0cb2ceccc
- SHA256: f1c133f1354fe24a973746491813b2e5c5f8225120014e2d69625150883360b6
- SHA256: 0fb88a819fbbca7e4dd2fa3152d13b7dfbc8b3e6e07cd9dad57558f52face559
- SHA256: 428e67a8298a2303a3b8902d27706cacaabf308340590026164a82d7fc2aaf02
- SHA256: e6caf94ffbef475cce22b7fcbd3e8f84cccd268c7197510eae3dda32d72a24c0
- SHA256: 2b3b22759a8ff69ff8757aeb668449d36bccc0f59b880f3142d5764120338c1f
The word documents contain a passworded macro.
The all the documents I tested accessed http://pastebin.com/download.php?i=wSSLkQeL which appears to be partial macro content. Strange given the documents appear to have slightly different content.
Which then downloaded a file from http://18.104.22.168/bt/get1.php which served me “crypted.120.exe”
SHA256: 38c78da07166ef834cbd3299213e8b4a8f19cee8a3e6b55c0aea669544227f6d / Malwr Report
Two requests were also made to http://savepic.net/6835801.gif and http://savepic.net/6832729.gif
wscript was run and finally 1233211.exe was started (the above crypted file renamed) and accessed https://22.214.171.124:3443/ which presents an SSL certificate created less than 12 hours ago (12 May 2015 13:50:30).
SSL Thumb: d7 91 8e e6 ee f0 1a 3c 71 36 de 17 5b 4f 62 eb 45 3b 09 ed
Serial Number: 00 e5 cb 9a fa 8f 04 ab 27
Shortly after another request was made to https://126.96.36.199:4443/ which downloaded and then ran a file which then quit (probably detected my virtual machine). Another recent SSL certificate is used on that domain (12 May 2015 13:51:41).
SSL Thumb:00 d8 28 ee 3e 3f 36 4d c4
Serial Number: e6 6f f7 2a 2d 48 3b 79 92 b0 7d 68 5a b5 d3 87 29 f1 4e 31