Wednesday, 14 January 2015

Les Mills Invoice goods/services malware

Les Mills Invoice goods/services macro based malware being spammed out.

The Word document has a random attachment, however these emails aren't from Les Mills at all, they just being used to make the email look more genuine, ie. from a real company.

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.
Message Header:
From: {}
Date: Wed, 14 Jan 2015 09:41:56 +0200
Subject: Les Mills Invoice

Message Body:
Dear Customer,
Please find attached an invoice for Les Mills goods/services.  Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team
Les Mills SIV035931.doc

Md5 Hashes:

Malware Macro document information:

VirusTotal Report [1]
(hits 0/57 Virus Scanners)

VirusTotal Report [2]
(hits 0/57 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24679.DocHeur.


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Jamie Kirkpatrick said...

Just download this on my one m8, should I be concerned?

Steve Basford said...

If you opened the document on a windows machine, using an old version of Microsoft Office or enabled macros, I'd do a virus scan using one of the links on menu bar at the top of the blog.

Anonymous said...

Hi I have just got this I am using a I pad and opened the link thinking I had my identity stolen as has happen recently am I safe or should I call my bank

Anonymous said...

This definitely doesn't affect iPhones right? I opened the doc and got a blank page, nothing more. Then being skeptical, i deleted the email from my inbox & junk folder.

Steve Basford said...

If you are using an iPhone, iPad, Android, Blackberry device and open the word/excel document then you should be ok as macro's don't run in those devices, but don't forward to any Windows users as it could infect them

Anonymous said...

just received this email in my hotmail account, so glad i read up on it before I opened it.