Wednesday, 24 December 2014

Rhianna Wellings Signature Invoice 44281 word document malware

More macro based malware this time from Rhianna Wellings of teckentrupdepot, whose
name and company name are being used to make the malware look a bit more genuine:

From: Rhianna Wellings
Subject: Signature Invoice 44281
Date: Wed, 24 Dec 2014 11:56:30 +0300

Your report is attached in DOC format.

To load the report, you will need the Microsoft Word reader, available to download at

The attachment is Signature Invoice.doc

Two variants so far... with VirusTotal reporting no scanners picking it up:


Sanesecurity are detecting this as:

Sanesecurity.Malware.24646.DocHeur (phish.ndb)
Sanesecurity.RogueDoc.0hr.20141224-0904 (rogue.hdb)

Decoded macro here: (pastebin)

Latest Malwr Report here: (Malwr) have put a note about the issue and updated their website:

Important Information
We are currently experiencing an IT issue where one of our email addresses has been spoofed. If you have received an email with a suspicious attachment then please delete it. You need do nothing further as we have identified the machine which is outside of our organisation and are working with them to remedy the problem. Sorry for any inconvenience.


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



No comments: