Wednesday, 11 February 2015

Gail Walker mblseminars invoice.doc

Gail Walker mblseminars invoice.doc email being spammed containing a word document with embedded macro.

These emails aren't from mblseminars at all, they just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header:

From: Gail Walker {}
Subject: Outstanding Invoice 271741
Message Body:
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Gail Walker
MBL (Seminars) Limited

The Mill House
6 Worsley Road
United Kingdom
M28 2NL

Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
 Attachment filename (word document with macros)

Md5 Hashes:
d7b8ef86ec0398d0b88c9bf0b0203fd2 [1]
6beaa39b2a1d3d896c5e2fd277c227dd [2]

Malware Macro document information:

VirusTotal Report [1] (hits 1/57 Virus Scanners)
VirusTotal Report [2] (hits 1/57 Virus Scanners)

Malwr Report [1]
Malwr Report [2]

Decoded Macro [1]
Sanesecurity signatures are blocking this as:



The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Anonymous said...

Thanks Steve! Received one of these this morning! Nasty.

Anonymous said...


I received this email and opened the attachement but the document was blank and I didn't enable the macros - am I still at risk?

Jem said...

OK I got one of these this morning, I scanned the doc with Norton which said it was clean and opened it. I'm currently doing a full system scan, is there anything I need to do?

Anonymous said...

Our firm has had multiple users run this, it opens a Blank doc but downloads an application into the %tmp% folder we have also noticed that infected machines are no longer able to download anything from the web, its starts the download but then does nothing.