SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmicro.com/trendlabs...n-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmicro.com/trendlab...ind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
hxxps ://nup[.]pw/DJojQE[.]7z
hxxp ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
hxxps ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

nup .pw: 149.210.145.237: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/9d...6033/analysis/

employersfinder .com: 198.38.91.121: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/ff...9e9e/analysis/

ccb-ba .adv.br: 50.116.112.205: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/71...0c44/analysis/

[AplusWebMaster]

FYI...

Fake 'Confidential Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ents-email.png

... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...tected_doc.png

Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1499942591/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/3...is/1499942505/

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/ff...e1d6/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/26...fcb1/analysis/

[AplusWebMaster]

FYI...

Fake 'Secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...vers-trickbot/
14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-invoice.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...nvoice_doc.png

SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1500038647/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/c...is/1493725297/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/91...cb3b/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/da...4263/analysis/

[AplusWebMaster]

FYI...

Fake 'payment slip' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...a-jrat-trojan/
18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-co...yment-slip.png

> Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU GISA 740,236 USD.jar

bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
Payload Security**

TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1500351301/

** https://www.hybrid-analysis.com/samp...ironmentId=100
HTTP Traffic
104.69.49.57

3] https://www.virustotal.com/en/file/a...7698/analysis/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
174.127.99.198

[AplusWebMaster]

FYI...

Fake blank-subject SPAM - downloads Trickbot
- https://myonlinesecurity.co.uk/trick...bject-noreply/
18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

Screenshot: https://myonlinesecurity.co.uk/wp-co..._vbs_email.png

doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
Payload Security* shows a download of an encrypted text file from
http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1500373606/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
210.1.58.190
107.20.242.236

*** https://www.virustotal.com/en/file/4...838c/analysis/

pluzcoll .com: 210.1.58.190: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/b5...9e51/analysis/
___

Fake 'Invoices' SPAM - deliver Trickbot
- https://myonlinesecurity.co.uk/multi...anking-trojan/
19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
___

Fake 'RFQ' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoof...s-java-adwind/
19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ery-Co-Ltd.png ..."
___

Bots - searching for Keys & Config Files
- https://isc.sans.edu/diary/22630
2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
(More detail at the isc URL above.)

[AplusWebMaster]

FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/efax-...anking-trojan/
20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

Screenshot: https://myonlinesecurity.co.uk/wp-co...spam_email.png

... The -link- in the email body goes to
https ://efax-download .com/pdx_did13-1498223940-14407456340-60
where you see page like this with-a-link to download the actual malware binary
https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
Payload Security[2]...
> https://myonlinesecurity.co.uk/wp-co...x-download.png

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1500552776/
14407456340-60.pdf.exe

** https://www.hybrid-analysis.com/samp...ironmentId=100

efax-download .com: 160.153.16.19: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/7a...7ed5/analysis/
___

Fake various subjects SPAM - deliver Trickbot, fake flashplayer
- https://myonlinesecurity.co.uk/trick...tebin-adverts/
20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
paper
doc
scan
invoice
documents
Scanned Document
receipt
order
They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
Download sites found so far are listed on:
- https://pastebin.com/MGAVB1uz // Thanks to Racco42*

* https://twitter.com/Racco42
> Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
which downloads
https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
(VirusTotal 4/58[3]) (Payload Security [4])...
1] https://www.virustotal.com/en/file/2...is/1500548514/
FlashPlayer.hta

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
209.126.113.203

3] https://www.virustotal.com/en/file/0...is/1500549163/
FlashPlayer.jse

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
209.126.113.203
192.35.177.195

uubeilisthoopla .net: 209.126.113.203: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/15...0942/analysis/

[AplusWebMaster]

FYI...

Fake 'Voice Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
21 Jul 2017 - "... coming via the Necurs -botnet- is an email with the subject of 'Voice Message Attached from 01258895166' – name unavailable [random numbered] pretending to come from vm@ unlimitedhorizon .co.uk with a zip attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-horizon.png

01258895166_6382218_592164.zip: Extracts to: 01258861149_20170411_185381.wsf
Current Virus total detections 2/58*. Payload Security** shows a download from
http ://avocats-france-maroc .com/sdfgdsg1? which gave a js file (VirusTotal 7/57[3]) (Payload Security[4]) which contacts a list-of-sites and should download an encrypted text file which is converted by the js file to the Trickbot binary. However, Payload Security[4] couldn’t get anything. The sites I can see in -this- js file are:
aprendersalsa .com/nhg67r? – artegraf .org/nhg67r? – asheardontheradiogreens .com/nhg67r?
asuntomaailma .com/nhg67r?... It will probably be similar to an earlier Trickbot version...
Thanks to Racco42[5] who has found the download sites and payload - PasteBin[6].
> Caution: we have been seeing fake flashplayer downloads & diverts via malicious ads on pastebin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1500641858/
01258861149_20170411_185381.wsf

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
158.69.133.237

3] https://www.virustotal.com/en/file/1...is/1500641867/
sdfgdsg1.js

4] https://www.hybrid-analysis.com/samp...ironmentId=100

5] https://twitter.com/Racco42/status/888392692761284608

6] Updated > https://t.co/eD7MtOxind

avocats-france-maroc .com: 158.69.133.237: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/94...d9e6/analysis/

aprendersalsa .com: 207.7.94.54: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/2e...646f/analysis/

artegraf .org: 185.58.7.72: https://www.virustotal.com/en/ip-add...2/information/

asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/1b...2dc5/analysis/

asuntomaailma .com: 185.55.85.4: https://www.virustotal.com/en/ip-add...4/information/
___

Malicious Chrome extensions / Facebook fraud - more
- https://www.helpnetsecurity.com/2017...ealthy-botnet/
July 21, 2017 - "ESET* researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites..."
* https://www.welivesecurity.com/2017/...ly-since-2012/
20 Jul 2017 - "... a huge botnet that they monetize mainly by installing malicious browser extensions** that perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they install enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.
Figure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related plugins:
> https://www.welivesecurity.com/wp-co...cs-blog-01.png
... Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis. There are always -two- components involved: a loader and an encrypted component. The malicious code is -concealed- in the encrypted component that resides either on the disk or in-the-Windows-Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed. Moreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine has two malicious Windows services installed, which are launched at system startup. Each service has the ability to reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both services must be deleted at the same time. Otherwise, the C&C server can send a new version of the deleted service that isn’t detected yet or that contains a new configuration..."
** https://www.helpnetsecurity.com/imag...tantinko-1.jpg
(More detail at the welivesecurity URL above.)

(IOC's): https://github.com/eset/malware-ioc/...ster/stantinko

[AplusWebMaster]

FYI...

Weather .com, Fusion expose Data via Google Groups Config Error
> http://www.darkreading.com/vulnerabi...d/d-id/1329449
7/24/2017 - "Major companies have publicly exposed messages containing sensitive information due to a user-controlled configuration error in Google Groups. Researchers at RedLock Cloud Security Intelligence (CSI) discovered Google Groups belonging to hundreds of companies inadvertently exposed personally identifiable information (PII) including customer names, passwords, email and home addresses, salary compensation details, and sales pipeline data. Internal messages also exposed business strategies, which could create competitive risk if in the wrong hands, explains RedLock*...
* https://blog.redlock.io/google-groups-misconfiguration
The Weather Company, the IBM-owned operator of weather .com and intellicast .com, is among the companies affected. Fusion Media Group, parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and other properties made the same mistake... The companies that leaked data accidentally chose the sharing setting 'public on the Internet', which enabled -anyone- on the Web to access -all- information contained in their messages. RedLock advises all companies using Google Groups to ensure 'private' is the sharing setting** for 'Outside this domain-access to groups'. RedLock's CSI team routinely checks various cloud infrastructure tools for threat vectors, and monitors publicly available data to detect misconfigurations that could cause security incidents..."
** https://blog.redlock.io/hs-fs/hubfs/...upsSetting.png
___

Petya decryptor for old versions released
- https://blog.malwarebytes.com/malwar...ions-released/
Last updated: July 25, 2017 - "Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project... Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya...
WARNING: During our tests we found that in some cases Petya may -hang- during decryption, or cause some other problems potentially -damaging- to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup...
It -cannot- help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya)..."
(More detail at the malwarebytes URL above.)

Related:
- https://blog.malwarebytes.com/threat...piece-package/

- https://blog.malwarebytes.com/cyberc...alware-author/

[AplusWebMaster]

FYI...

Fake 'No Subject' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...tage-download/
26 Jul 2017 - "Another Trickbot campaign overnight... Pretends to be a bill coming from notifications@ in.telstra .com.au.... You get a wsf file in zip to start with. That has a hardcoded single site in the file. That downloads a .js file which has 4 or sometimes 5 hardcoded urls which download an encrypted txt file that is converted by the js file to a working Trickbot binary. The name & reference number in the email is random...

Screenshot: https://myonlinesecurity.co.uk/wp-co...stra_email.png

May-July2017.zip: Extracts to: QPX_ 18941124638_411385.wsf - Current Virus total detections 4/57*.
Payload Security** downloads from dodawanie .com/?1 (or one of the other stage 2 sites listed in this pastebin[3]
(VirusTotal 5/577[4]) (Payload Security[5]) which -cannot- examine the file because it is seen as txt. However that downloads of an encrypted file from one of the stage 3 sites listed in this pastebin report[6] which is converted by the script to an .exe file (VirusTotal 17/63[7]) (Payload Security[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1501020013/
QPX_ 18941124638_411385.wsf

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
74.125.104.72
185.23.21.13

3] https://pastebin.com/RvHqTC7y

4] https://www.virustotal.com/en/file/9...is/1501026192/

5] https://www.hybrid-analysis.com/samp...ironmentId=100

6] https://pastebin.com/RvHqTC7y

7] https://www.virustotal.com/en/file/b...is/1501041870/
C.exe

8] https://www.reverse.it/sample/b7a7d7...ironmentId=100
Contacted Hosts
216.58.198.196
216.58.198.206

dodawanie .com: 185.23.21.13: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/62...0a84/analysis/
___

Fake 'Account secure documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...vers-trickbot/
26 Jul 2017 - "An email with the subject of 'Account secure documents' pretending to come from HSBC but actually coming from a look-alike-domain <noreply@ hsbcdocs .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan ...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ents_email.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...Advice_doc.png

PaymentAdvice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
https ://kartautoeskola .com/test/images/logo.png which is -not- an image file but a renamed .exe file
that gets -renamed- to warrantyingresalesdioxide.exe and autorun (VirusTotal 1/63***) Payload Security[4]...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1501070044/
PaymentAdvice.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/9...is/1501067853/
vaqqamsxhmfqdrakdrchnwhcd.exe

4] https://www.hybrid-analysis.com/samp...ironmentId=100

kartautoeskola .com: 69.160.38.3: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/94...fe4b/analysis/
___

BEC attacks more costly than Ransomware...
- http://www.darkreading.com/vulnerabi...d/d-id/1329414
7/20/2017 - "... cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco's 2017 Midyear Cybersecurity Report released*...
* https://engage2demand.cisco.com/cisc...ecurity_report
... Cisco's Martino says targeted cybersecurity -education- for employees can help prevent users from falling for BEC -and- ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus-email comes across the transit of the CEO asking for a funds transfer it can be detected... Regular software patching also is crucial. When spam-laden-malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized... a balanced defensive and offensive posture, with not just firewalls and antivirus but -also- including measures to hunt down possible attacks through data collection and analysis..."

[AplusWebMaster]

FYI...

Fake 'Invoice notification' SPAM - delivers malware
- https://myonlinesecurity.co.uk/invoi...ivers-malware/
27 Jul 2017 - "An email with the subject of 'Invoice notification with id number: 40533' pretending to come from random senders with a link-in-the-email to a malicious word doc delivers... malware... possibly Emotet banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...mber-40533.png

GOCNX8263762.doc - Current Virus total detections 7/57*. Payload Security** shows a download from one of the sites listed below where a random named .exe is delivered (VirusTotal 13/62[/3]) (Payload Security[4]).
The delivery sites are all compromised sites:
http ://petruchio .org/zbmcicj/
http ://danjtec .it/ldcgtgkew/
http ://radiosmile .hu/q/
http ://ihealthcoach .net/paqdauulaq/
http ://btsound .com/erepr/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1501132650/
URQTN6370102.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100

3] https://www.virustotal.com/en/file/9...is/1501134465/

4] https://www.hybrid-analysis.com/samp...ironmentId=100

petruchio .org: 64.90.44.242: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/b6...ad51/analysis/

danjtec .it: 5.135.157.47: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/df...e8d0/analysis/

radiosmile .hu: 92.61.114.191: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/a3...0d5f/analysis/

ihealthcoach .net: 66.59.64.111: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/8a...a823/analysis/

btsound .com: 74.220.199.25: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/24...b72d/analysis/