Another day and another word doc "invoice" containing a macro, which if run will start downloading
malware from various servers around the globe.
The current run format is from a forged "UK Fuels" template:
From: invoices@ebillinvoice.com
To: user@xxxxxxxxxx.co.uk
Subject: UK Fuels E-bill
Customer No : 35056
Email address : user@xxxxxxxxxx.co.uk
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely
Customer Services
UK Fuels Ltd
The 35056_49_2014.doc seems to have two variants at the moment, current detected [0/56] at VirusTotal:
Hashes:
522ec80ccddfdff0095939798d4b1a18
9e009cf97565e47506195bc05f2c3f03
Currently 0 hour detected as: Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL
Cheers,
Steve
sanesecurity.com
2 comments:
Thanks for warning post Steve. I received one of these on my UK talktalk account 11/12/14.
If you opened the attached .doc it will place an application in C:\Users\Username\AppData\Local\Temp called LNKCLHSARFL.exe
Deleting this application should be sufficient
Post a Comment