FYI...

Fake 'Amazon invoice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...necurs-botnet/
12 Dec 2017 - "... Necurs botnet has changed again today...
Update: I am informed that this is definitely Trickbot banking trojan, not ransomware, although several antiviruses are detecting it as a ransomware version. An email with the subject of 'Invoice RE-2017-12-12-00572' (random numbers after the date) pretending to come from Amazon Marketplace <lqftdwbmxYYfT@ marketplace.amazon .com> (random characters before the @) with a malicious word doc attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-co...arketplace.png

RE-2017-12-12-00572.doc - Current Virus total detections 12/59*. Hybrid Analysis**...
This malware downloads from
http ://ragazzemessenger .com/nyRhdkwSD which gave ejmaryj8.exe (VirusTotal 9/67[3]) (Hybrid Analysi[4])...
There will be loads of other download sites... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/8...is/1513080354/
RE-2017-12-12-00775.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
158.69.26.138
98.124.251.168
Contacted Hosts
98.124.251.168
158.69.26.138
67.209.219.92
179.43.147.243
95.213.237.241

3] https://www.virustotal.com/en/file/2...is/1513080273/

4] https://www.hybrid-analysis.com/samp...ironmentId=100

ragazzemessenger .com: 98.124.251.168: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/a8...4c38/analysis/