Thursday, 11 December 2014

word doc macro malware: UK Fuels E-bill

Another day and another word doc "invoice" containing a macro, which if run will start downloading
malware from various servers around the globe.

The current run format is from a forged "UK Fuels" template:

From: invoices@ebillinvoice.com
To: user@xxxxxxxxxx.co.uk
Subject: UK Fuels E-bill

Customer No :        35056
Email address :         user@xxxxxxxxxx.co.uk
Attached file name :    35056_49_2014.doc


Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd

The 35056_49_2014.doc seems to have two variants at the moment, current detected [0/56] at VirusTotal:


Hashes:

522ec80ccddfdff0095939798d4b1a18
9e009cf97565e47506195bc05f2c3f03


Currently 0 hour detected as: Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL

Cheers,

Steve
sanesecurity.com

2 comments:

Ian said...

Thanks for warning post Steve. I received one of these on my UK talktalk account 11/12/14.

Anonymous said...

If you opened the attached .doc it will place an application in C:\Users\Username\AppData\Local\Temp called LNKCLHSARFL.exe

Deleting this application should be sufficient