Monday, 29 June 2015

CEF Documents City Electrical Factors Limited BLA176035.doc

CEF Documents City Electrical Factors Limited BLA176035.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.


From: "" {}
Subject: CEF Documents

Message Body:
Please find attached the following documents issued by City Electrical Factors:

Invoice - BLA/176035 - DUCHMAID

If you have any problems or questions about these documents then please do not hesitate to contact us.

Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818

Dawn Sandel
Group Office
Nelson & Northwest Region

City Electrical Factors Limited
Tel: 01282 698 112  Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SP
Sha256 Hashes:
1dd4601705e197fe4528a50a4cca282ea9ffb45249ff5fdb3d538a79dccea157 [1]
96de9b01e7e403388f92696c1f7f14b85e373962824aa248ca144f9314f5ffb3 [2]
c1188f42836fce82819134340b1726fdb1ee3234aaaef1674924602ead39b1ef [3]
846c9403e3059012f44a4b6e6ac77a34aec313e9979ae039f767e79685623e53 [4]
83bbeab07a972de567fe418babb9023f185c6ed2b62d09a241698c7886170876 [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/57)
VirusTotal Report: [2] (detection 4/57)
VirusTotal Report: [3] (detection 4/57)
VirusTotal Report: [4] (detection 4/57)
VirusTotal Report: [5] (detection 4/57)


The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Anonymous said...

Thanks for the information Steve, just had one of these - glad I checked!

Anonymous said...

Thanks for the quick posting Steve, also had a couple of email addresses at work receive this email. You made my Monday better Cheers :)

AndyB said...

Just got one of these and was suspicious. Your blog has clarified this and has been extremely helpful. Thanks.

Anonymous said...

Received this morning. Unfortunately it came in a few minutes after I'd ordered a battery from a company on Ebay with a similar name so assumed it was a valid invoice and opened the attachment on my Andriod tablet (so no harm done I hope). Thanks for the information.

Jordan Ashworth said...

I work at the CEF office in the email... this attention has crashed our telephone systems and obviously as stated it bears no origin to us.

Anonymous said...

Thanks for posting this info I had my suspicions,purely because we bought things from you last week and couldn't work out how you had our email address.

Anonymous said...

Received this at our firm on several accounts.
Was suspicious from the outset as IP address resolves to Iran.