Well, from the look of the email below, it's probably Dridex. Which means it's probably a word based macro downloader.
-- Joel Esler Manager, Talos Group Sent from my iPhone On Dec 25, 2015, at 3:24 AM, Al Varnell <[email protected]<mailto:[email protected]>> wrote: I’m a novice at signature writing, but those e-mails don’t seem to have sufficient unique content to warrant a signature based on the text. They look like simple Spam to me. Since you removed the actual malware, I have no clue what they are and how critical of a threat they might be. As Joel said, what you need to post here is the hash for the file before you zipped it. -Al- On Fri, Dec 25, 2015 at 12:12 AM, Walter H. wrote: Just submitted two new samples, as I received them today; SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3 SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa On 25.12.2015 02:05, Al Varnell wrote: Surely you cannot mean that all of those represent critical threats that require immediate attention from the already overworked ClamAV signature team? what do you really think are these? just as an expanded sample the complete E-mail, where I removed the malware content; I get these regularily, and for this another way of submission -> just an E-mail-Address, where to forward these ... -----[ 28.eml ]----- Return-Path: <[email protected]<mailto:[email protected]>> Received: from storage.mail ([unix socket]) by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA; Fri, 25 Dec 2015 03:01:35 +0100 X-Sieve: CMU Sieve 2.3 Received: from filter.mail by storage.mail (Postfix) with ESMTP id CE10B62834 Received: by filter.mail (Postfix) id C38334905 X-From-noReply-Box: yes Delivered-To: [email protected]<mailto:[email protected]> Received: by filter.mail (Postfix, userid 500) id BE1B84913 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO autolearn=no version=3.3.1 Received: from filter.mail by filter.mail (Postfix) with ESMTP id 6774F4905 Envelope-to: [email protected]<mailto:[email protected]> Delivery-date: Fri, 25 Dec 2015 02:03:37 +0100 Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17) Received: from [81.19.149.129] (helo=mx19lb.world4you.com<http://mx19lb.world4you.com>) by mail12.world4you.com<http://mail12.world4you.com> with esmtp (Exim 4.76) (envelope-from <[email protected]<mailto:[email protected]>>) id 1aCGnA-0001D7-Uf for [email protected]<mailto:[email protected]>; Fri, 25 Dec 2015 02:03:36 +0100 Received: from [188.132.250.211] (helo=ns1.adanabook.com<http://ns1.adanabook.com>) by mx19lb.world4you.com<http://mx19lb.world4you.com> with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <[email protected]<mailto:[email protected]>>) id 1aCGnA-0003qG-Hu for [email protected]<mailto:[email protected]>; Fri, 25 Dec 2015 02:03:36 +0100 Received: by ns1.adanabook.com<http://ns1.adanabook.com> (Postfix, from userid 10006) id 1B3ED10EE07; Fri, 25 Dec 2015 04:08:11 +0200 (EET) To: [email protected]<mailto:[email protected]> X-PHP-Originating-Script: 10006:post.php(5) : regexp code(1) : eval()'d code(17) : eval()'d code Date: Fri, 25 Dec 2015 04:08:11 +0200 From: "Interfax Online" <[email protected]<mailto:[email protected]>> Reply-To: "Interfax Online" <[email protected]<mailto:[email protected]>> Message-ID: <[email protected]<mailto:[email protected]>> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_9d092492ac2cddaeaa628f93cbfb66a1" Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 188.132.250.211 X-SA-Exim-Mail-From: [email protected]<mailto:[email protected]> Subject: [SPAM] You have received a new fax, document 0000471075 X-Spam-Prev-Subject: You have received a new fax, document 0000471075 X-SA-Exim-Version: 4.2.1 (built Sat, 28 Apr 2007 14:02:57 +0200) X-SA-Exim-Scanned: Yes (on mx19lb.world4you.com<http://mx19lb.world4you.com>) --b1_9d092492ac2cddaeaa628f93cbfb66a1 Content-Type: text/plain; charset=us-ascii A new fax document for you. Please, download fax document attached to this email. Filesize: 150 Kb File name: scan-0000471075.doc Scanned in: 9 seconds Scanned at: Thu, 24 Dec 2015 17:05:33 +0300 From: Gerald Calhoun Number of pages: 5 Quality: 300 DPI Thank you for using Interfax! --b1_9d092492ac2cddaeaa628f93cbfb66a1 Content-Type: application/zip; name="scan-0000471075.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=scan-0000471075.zip #content#removed# --b1_9d092492ac2cddaeaa628f93cbfb66a1-- -----[ 29.eml ]----- Return-Path: <[email protected]<mailto:[email protected]>> Received: from storage.mail ([unix socket]) by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA; Fri, 25 Dec 2015 08:50:07 +0100 X-Sieve: CMU Sieve 2.3 Received: from filter.mail by storage.mail (Postfix) with ESMTP id 4E24D635DA Received: by filter.mail (Postfix) id 3799C491C X-From-noReply-Box: yes Delivered-To: [email protected]<mailto:[email protected]> Received: by filter.mail (Postfix, userid 500) id 2E66A4948 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO autolearn=no version=3.3.1 Received: from filter.mail by filter.mail (Postfix) with ESMTP id 045E84905 Envelope-to: [email protected]<mailto:[email protected]> Delivery-date: Fri, 25 Dec 2015 07:21:09 +0100 Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17) Received: from [81.19.149.133] (helo=mx23lb.world4you.com<http://mx23lb.world4you.com>) by mail12.world4you.com<http://mail12.world4you.com> with esmtp (Exim 4.76) (envelope-from <[email protected]<mailto:[email protected]>>) id 1aCLkT-0002YU-M4 for [email protected]<mailto:[email protected]>; Fri, 25 Dec 2015 07:21:09 +0100 Received: from [209.239.57.35] (helo=host3.webhostingservers.net<http://host3.webhostingservers.net>) by mx23lb.world4you.com<http://mx23lb.world4you.com> with esmtp (Exim 4.77) (envelope-from <[email protected]<mailto:[email protected]>>) id 1aCLkS-0000UT-Sq for [email protected]<mailto:[email protected]>; Fri, 25 Dec 2015 07:21:09 +0100 Received: (from www@localhost) by host3.webhostingservers.net<http://host3.webhostingservers.net> (8.14.3/8.12.10) id tBP5RTEW028021; Fri, 25 Dec 2015 00:27:29 -0500 To: [email protected]<mailto:[email protected]> Date: Fri, 25 Dec 2015 00:27:29 -0500 From: "Interfax Online" <[email protected]<mailto:[email protected]>> Reply-To: "Interfax Online" <[email protected]<mailto:[email protected]>> Message-ID: <[email protected]<mailto:[email protected]>> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_65c1451b368193580c19c5cf984dd73f" Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 209.239.57.35 X-SA-Exim-Mail-From: [email protected]<mailto:[email protected]> Subject: [SPAM] You have received a new fax, document 00845094 X-Spam-Prev-Subject: You have received a new fax, document 00845094 X-SA-Exim-Version: 4.2.1 (built Sat, 22 Jan 2011 20:12:41 -0500) X-SA-Exim-Scanned: Yes (on mx23lb.world4you.com<http://mx23lb.world4you.com>) --b1_65c1451b368193580c19c5cf984dd73f Content-Type: text/plain; charset=us-ascii You have received a new fax. Please check your fax document in the attachment to this e-mail. File name: scan-00845094.doc Sender: Manuel Hooper File size: 102 Kb Resolution: 400 DPI Scan date: Thu, 24 Dec 2015 10:20:07 +0300 Pages scanned: 6 Scan duration: 21 seconds Thanks for using Interfax service! --b1_65c1451b368193580c19c5cf984dd73f Content-Type: application/zip; name="scan-00845094.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=scan-00845094.zip #content#removed# -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
