Monday, 30 March 2015

Vistaprint VAT Invoice VistaPrint-cc email

Vistaprint VAT Invoice email with a zip attachment...

Headers:
From: Vistaprint {VistaPrint-cc@vistaprint.com}
Subject: Vistaprint VAT Invoice (330142496)

Message body:
Invoice Number: 330142496
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: nLhs-tNyCT-qMW

There's a Zip file attached to the email:
6Lx7Uuuyr.zip

Inside the Zip file is a Windows Executable file:
 Invoice_1.exe
Sha256 Hashes (one example)
733dbcc33cd08ac2ff6355df4e2886729a30bbfb9d857beb3c190183d833948b   [1]

07ce38d3c9f1cee817f39e88d51d9699b0279b40e54560e710ee85a76d4b02e6
1452eee9d719a400679fb0156ee619c6c615ed5d747ce0b8bbad7aeabfa0f718
14bb99c73842185070d05b72c4377d2539c58caf84031897b513505a00f99938
274e2d2feaa40c3365742669172fd3838f262f673552a9ee86b856feac218b08
38513535de02f4ca268c0222f792546b08ab569697043d3b6f0f00462e71c667
39738ebc512b12ab7395881e2844db5b40886d254bbbca207504444b31ff6d94
4dc8eb1fc7cf9f0a2c9c40da357817cfaa6fda646df711934a23e3b8ca765afc
6434da7c50e17d1d13dbc333da2c1b94ef7073fef5c5126b8b0adb5036b67ed5
6d8f83af8cb834a6fa81f4e62f05ba936be9bccc6f3cba3b5c054aecd4348b94
9b474d766f52bf8d7165926aa80c69ea4a57d1274288e57d6abca8a5fbe101e7
a676e588ae8c289b23674d4645609f0a2394aa3f33c7d1d8d4b2762eb26dd0ad
c1afd7428c8becfa00c0ec30881f9368dc2534bc93c2cbd4acb8fe2e21927044
c9bf209bb0481c6df23cff155aee9a948a05f2d16164443d4def5fc18d1494a4
cb7bc116cf96728697f03b280434900f06801607fc9667acf8c338b67ee57bf0
d661ece27c9ea42034d453c98163ebca7f8a632419df95d96989943b6006dbeb
e130768f67f0314033254bd38ca8f7be56da9280bd5ce56f48094a32e471d51f
e75dbe549c3f4cb2de92b5615e3f6311ab547c1ad29d8dd49d4af8a97f17fa49

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 1/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

6 comments:

Derek Knight said...

It looks like they are creating each individual email attachment on the fly and each one not has a zip random name but the actual malware Upatre downloader contained in the zip although each has the same file name are all different with individual file hashes. I have checked 5 or 6 so far and all have different SHA256 # numbers.

http://myonlinesecurity.co.uk/vistaprint-vat-invoice-fake-pdf-malware/

Anonymous said...

just got this email today! thanks!

LARRYIEP said...

I just got one, but my AVG Internet Secutiry 2015 antivirus program caught it and deleted message.

Vistaprint VAT Invoice (570832909)
Invoice Number: 570832909
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: k3u9-yropI-78A

bindare dundat said...

thanks guys.we have to keep this up.

Anonymous said...

Got this one today, too - found it in my Junk folder

Anonymous said...

Just got this at our campany, the service desk released it from Mail Marshal...and now im scaning the network. Here is the

Received: from vistaprint.com (242.169.233.220.static.exetel.com.au[220.233.169.242])

From: Vistaprint
MIME-Version: 1.0
Subject: Vistaprint VAT Invoice (566155852)

Invoice Number: 566155852
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: CVh{-5eAGQ-dPB

When excecuted it created 2 application with random 13 text name and size was 444KB under C:\Users\(username)\Appdata\Local\

Our System Centre Endpoint has yet to pick up anything but if it causes any issue ill let ya know.