Today I came across a message, which was rather interesting. The mails were received with different subjects, random company names in them as well as random attachment names. The attachment is a Word document with the “*.doc” extension (never a good sign). Quickly analysing shows that the Word document contains a Marco script, which, when executed, downlods a text file from Pastebin.com.
That file again contains a Macro script that downlods an executable file from an IP, hosted in Russia. That file was up until 8pm CEST undetected by most anti-virus scanners on VirusTotal.com, but is now identified as Dridex, a common information stealing trojan (e.g. also for banking credentials). The downloaded file also changes regularly during the day.
I suggest to delete the message from your inbox and run a scan with a freshly updated anti-virus scanner.
The config seems to be available on this Pastebin: http://pastebin.com/raw.php?i=N54GBRnu
Other research:
Automatic analysis:
https://www.virustotal.com/en/file/2e6af1212a81136b46af40bf82ddd11811dc64490336f7ce1059aa9dd3c39262/analysis/1431021886/
https://www.hybrid-analysis.com/sample/2f490740491245fcee461251879cdcea36beeff86d8008b7077ddd6f155ee4d1?environmentId=1
https://malwr.com/analysis/Mzk3MzQwMjcwNGM5NDY3NDk1YTQ4NDdmZDYyMTIwZDM/
https://malwr.com/analysis/ZmI5OTA5YzdkZDhjNGYyMDkyYzhlMzNiZjAzMjNlNTM/
https://malwr.com/analysis/ZWY3ODBjNDZlMzg0NDRlY2JiZWIwNmQ2ZWY1ZmNkMTg/
Indicator of Compromise:
http://pastebin.com/download.php?i=VTd9HVkz
http://91.226.93.14/stat/get.php
7ed69b54e08b2f9031224d7c2cb3f86d
09a2fe6c1018e31c0c6150922a37c5dd
Command and Control (C&C):
46.36.217.227:3443
159.253.20.116:4443
5.44.216.44:144
91.218.228.25:8443
Proxies:
62.109.4.230:8080
188.226.168.84:8080