Gail Walker mblseminars invoice.doc email being spammed containing a word document with embedded macro.
These emails aren't from mblseminars at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.
It's not advised to ring them as there won't really be anything they can do to help you. |
Message Header:
From: Gail Walker {gail@mblseminars.com}
Subject: Outstanding Invoice 271741
Message Body:
Dear Customer
Payment for your Season Ticket was due by 31 January
2015 and has not yet been received. A copy of the invoice is
attached.
By way of a reminder, the Season Ticket entitles all
members of your organisation to save up to 50% on our public seminars and
webinars. Since being a Season Ticket Holder your organisation has saved
£728.50.
Please arrange for payment by return by BACS, cheque,
or credit card. If payment has been arranged and just not reached us yet then
please ignore this email.
If you have any queries, please do not hesitate to
contact us.
Regards
Gail Walker
MBL (Seminars) Limited
The Mill
House
6 Worsley Road
Worsley
Manchester
United Kingdom
M28
2NL
Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
Attachment filename
(word document with macros)
invoice.doc
Md5 Hashes:
d7b8ef86ec0398d0b88c9bf0b0203fd2 [1]
6beaa39b2a1d3d896c5e2fd277c227dd [2]
|
Malware Macro document information:
VirusTotal Report [1] (hits 1/57 Virus Scanners)
VirusTotal Report [2] (hits 1/57 Virus Scanners)
Malwr Report [1]
Malwr Report [2]
Decoded Macro [1] |
NOTE
The current round of Word and Excel attachments are targeted at Windows users.
Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
Currently these attachments try to auto-download Dridex, which is designed to
steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste)) |
Cheers,
Steve
4 comments:
Thanks Steve! Received one of these this morning! Nasty.
Hi
I received this email and opened the attachement but the document was blank and I didn't enable the macros - am I still at risk?
OK I got one of these this morning, I scanned the doc with Norton which said it was clean and opened it. I'm currently doing a full system scan, is there anything I need to do?
Our firm has had multiple users run this, it opens a Blank doc but downloads an application into the %tmp% folder we have also noticed that infected machines are no longer able to download anything from the web, its starts the download but then does nothing.
Post a Comment