Yet more of these today.. this one:
From: David Nyaruwa <firstname.lastname@example.org>
Subject: Booking Confirmation – Accumentia (16/9/15)
Atachment: Accumentia Booking (16-9-15).doc
Please find attached a proforma invoice for Accumentia’s booking of the council room on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance due by the date of the meeting.
SCI, 14-15 Belgrave Square, London, SW1X 8PS
T: +44 (0)20 7598 1536 E: mailto:email@example.com W: http://www.soci.org
SCI – where science meets business
Phenotypic Approaches in Drug Discovery, 18 March 2015, SCI, London, UK
Arrested Gels: Dynamics, Structure and Application, 23-25 March 2015, Gonville & Caius, Cambridge, UK
32nd Process Development Symposium, 25-27 March 2015, Churchill College, Cambridge, UK
Reagentless Synthesis, 1 April 2015, SCI, London, UK
For the full events listing and more information go to http://www.soci.org/Events
The attachment was “Accumentia Booking (16-9-15).doc” SHA256 08f309a099ca24a110088d9d6f386dec982c343c71989a2e77dd8ac0bb95bff2
The document contained the following 3 Macro Modules:
When the macro is run it starts with this:
Sub autoopen() VEeve (8.2) End Sub Sub VEeve(FFFFF As Long) KLJLGBk End Sub
The macro downloads it’s payload from:
Which then was saved to:
Which in turn then accessed
and then quit (I presume it detected virtualbox).
The CnC server (22.214.171.124) is the same as being used in the Ofcom spam run earlier this morning.
Further communication after that was with:
Which then brings us back to the obamacare certificates (as seen in the Chess invoice run):
CN = trtheawa.ml
OU = obamacare
O = democracy
L = Houston
S = TX
C = US
Start date of certificate 31st July 2015 (the same date as the new domain registered under the Ofcom spam run article).