Thursday, 23 April 2015

Refund on order 204-2374256-3787503 Amazon

Refund on order 204-2374256-3787503 Amazon with an attached 204-2374256-3787503-credit-note.doc word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

From: "" {}
Subject: Refund on order 204-2374256-3787503
Message Body:
Dear Customer,

Greetings from

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on

Thank you for shopping at

Sincerely, Customer Service

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again

Sha256 Hashes:
afc3885ee8a0dbedde13bf205a263b5a6035966c5ebffaf0f8cd4cab60ae7628 [1]
71afeadea256a9e4661f6d8e53e0f80888961ecbed989c54950ad54bab114d4c [2]
ce15debd4312acf2f6546c1bab4287cd410ed82e021f55d051634e6a416ad11a [3]
33ba98b1426bb1e1c0975ec640f0f4a9262a38de4d0e00aadfc903a3e8411161 [4]
314ed382b9497b4fd7c9854c7fb3f31ed5bd0153bad8a114f0284e19d1f4b4e7 [5]
435c2f935685633870c4831e43118d305ba3de074ba67584cf1c9d49595f7821 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 4/57)
VirusTotal Report: [2] (Detection 4/57)
VirusTotal Report: [3] (Detection 4/57)
VirusTotal Report: [4] (Detection 4/57)
VirusTotal Report: [5] (Detection 4/57)
VirusTotal Report: [6] (Detection 4/57)


The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



365Drills said...

I just had the same email this morning (23rd April) so thank you for posting this up.

Tony T said...

Had three emails this morning within the space of an hour. That's when I became really suspicious!

Anonymous said...

I also received it but thought it was a scam. Nice to have it confirmed.

Al said...

Just received this email. Thanks for the confirmation.