Thursday, 18 December 2014

word document malware: AquAid receipt of payment

Just receiving  a whole load of these faked AquAid invoices containing an embedded macro:

From: "Tracey Smith"
Subject: Card Receipt
Date: Thu, 18 Dec 2014 09:26:42 +0200

Hi

Please find attached receipt of payment made to us today

Regards

Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk


Two variants at the moment... VirusTotal reports:

a881b1031959d5dae6352f31b6ba2df3 (2/56)
eb6db8890657f982118699f019812fdd (1/53)

Detection:

Sanesecurity.Malware.24670.DocHeur (phish.ndb)
Sanesecurity.Rogue.0hr.20141218-0835 (rogue.hdb)

The embedded macro can be seen here (pastebin)
Malwr report can be seen here (Malwr

One sample tries to connect to two hosts:

74.208.11.204 (USA)
81.169.156.5 (Germany)

Cheers,

Steve
Sanesecurity.com

41 comments:

Anonymous said...

So did I about an hour ago

Anonymous said...

One of my colleagues has just received one of these also. It's a scam.

Jay said...

Thanks for this! I got this one this morning too. Figured it was a scam of some sort so didn't open the document but as the company address was legitimate and near to me it did have me second guessing.

Joe Partridge said...

I had one too. Glad I saw this

Joe Partridge said...

Me too

Anonymous said...

Received one this morning looks credible deleted it thank you for alerting us

Anonymous said...

Yup, my whole company email has received this email.

Anonymous said...

i just had this aswell - i deleted it but one of my colleagues opened it and the document on their phone (iphone 5s), could this have any effect?

Kate Gardiner said...

I got one of these too this morning.

Sean said...

Sadly its nothing new for sick individuals who attempt to pretend to represent a charitable organisation in order to weedle their way into your system. What goes around keeps coming around. Lovely cretins.

George A. Rauscher said...

yes... get it a few minutes ago....

George A. Rauscher

http://www.george.li

Anonymous said...

Me too, glad I saw this. Have deleted.

Anonymous said...

I had this at 8:36 today it looked very much like a virus/malware

Anonymous said...

Several in company getting it this morning. This latest of several similar emails from differing senders received over last few days with microsoft word attachments.

Anonymous said...

So did i 8:56am GMT

NoHackz said...

I opened the attached document on my iPhone, will this have any effect?

NoHackz said...

I opened the document on my iPhone, will this have any effect?

Astra Merlin said...

Just got this email too, why are people so ugly.

Anonymous said...

This blog is wonderful, thanks!

craig hindley said...

I just had two of these, whats wrong with these Amoebas

Anja Meixner said...

Thank you for this! I have received one this morning too.
However, i have tried to open on my iphone and ipad. Will this have an impact on my devices?

I've only realised it is a scam when i got prompted with the security warning that in the attachment are macros embedded.

Please can anyone let me know if it will have an impact on my devices? and if so what I need to do?

Thank you so much!!!

Anja Meixner said...

Thank you for posting this! I also received the email.

However, i have tried to open it on my iphone and ipad. Will this have an impact on my devices?

I have only realised when I went over to my laptop and a message alerted me of the macros which are embedded in the attachment.

I would be very grateful if someone could let me know if that will have an impact on my devices? and if so, what do I need to do to get rid what was installed?

Thank you so much!!!

Brian D said...

Thanks to whoever started this thread. Got the email too just now. Thank heavens we're all working to minimise the impact of these scum scammers.
To those that have opened it, runs virus scan and removal now. There are some great free ones available for all machine and mobile types. It won't be the only thing you have on there. And then, never open emails again from people you don't know or haven't subscribed too.
Keep up the good fight all!

Tim M said...

Yes, I've just received this identical email with attachment "CAR014151239.doc (130KB)" ... 18/12/14 09.59

Anonymous said...

Thanks for posting this - I just received that email.

Carole said...

yes me too loads of them

mario stefani said...

got 2 this morning deleted even if Avira professional report of the doc attached was negative

Anonymous said...

I got the thing too - timed at 0753 this morning. A professional looking email too. The presence of name, address, phone no and award logos make it look much more credible than many. But as I have never ordered any water from anybody, it still didn't feel right. A quick Google, and hey presto! Thanks everyone.

Lorraine G said...

Everyone in our company also received this email this morning.

Henry R said...

I opened the file ,then realised that it was probably a scam and immediately closed it I run Mcafee Internet security on my PC, no warnings came up, will it detect this or is it new??

does anybody know what it does and how I can check and remove it

Anonymous said...

In that pastebin marco:

Line 527: Downloads bin.exe from sardiniarealestate(dot)info and writes it to %TEMP%\YEWZMJFAHIB.exe

Line 1381: Executes the downloaded file

It does a few other things (Lines 638/639, 745, 853, 961), but I'm not going to deobfuscate those strings by hand.

Anonymous said...

I received the same e-mail with the same Word document containing a macro.

It is a scam.

Anonymous said...

AquAid here – we are very, very sorry about the trouble this has caused. Our servers were have been hacked and the problem should now be resolved, but I am fully aware that doesn’t help all the people who have already received emails infected with a virus.

Apologies again.

Peter Hansen
Group Manager
AquAid

Anonymous said...

Devious and more convincing than the usual scam emails. I can see why perfectly reasonable and seasoned email users could fall for this one. This is a most useful blog from which we can all benefit. David Foley. East Kent Chamber of Commerce

Anonymous said...

I have opened it on my phone and emailed back, can they get anything of my phone??

Anonymous said...

I received one today and I replied back on my phone, will they be able to get anything from of my phone

Paul Hartley said...

I just got the email about 30 minutes ago so it's still doing the rounds.

Looks very convincing and if you go to Aquaid website the individual is an 'actual' person.

I tried phoning but engaged. I guess the switchboards are jammed.

Anonymous said...

Just received one today - googled the mobile number straight away and found this site. Now deleted email. Thanks guys!

Anonymous said...

If you opened it on a phone it should be fine- its only attacks Windows PCs at the moment.

Gavin Walsh said...

Our Managing director also received this email several times today. We are a wholesaler and do purchase this kind of product frequently. Luckily he knew he had never ordered from Aquaid so didn't open the attachment. Also tried to call Aquaid but the line was engaged.
Very clever individuals hacking their servers and sending these directly from their mail server by the look of it. Hopefully everyone receiving this email will have Googled it and found this thread.

Anonymous said...

We received it today and opened it up will it have any affect on the phone thx