Friday, 31 July 2015

Your latest Chess Bill Is Ready 2015-07-Bill.docm

Your latest Chess Bill Is Ready 2015-07-Bill.docm macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

From: {}
Subject: Your latest Chess Bill Is Ready
Message Body:
Your bill summary
Account number: 24583
Invoice Number: 2398485
Bill date: July 2015
Amount: £17.50
How can I view my bills?
Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you've incurred since your last bill, just sign into My Account
Forgotten your sign in details?

If you've forgotten your sign in details, no problem, you can reset these by choosing

Making payments is easy!

If you want to make a credit or debit card payment you can do online by choosing
You don't need to do anything if you pay by direct debit, we will collect your payment automatically on or after 30th June. If you pay by cheque, details of how to pay us are available on the invoice.
Switch to Direct Debit today and you'll save at least £60.00 a year, simply call our dedicated team on 0844 770 6060.
Anything else you'd like to know?

Why not visit our support section at

This e-mail has been sent from a Mailbox belonging to Chess Telecom,
registered office Bridgford House, Heyes Lane, Alderley Edge, Cheshire, SK9 7JP.
Registered in England, number 2797895. Its contents are confidential to the
intended recipient.
If you receive in error, please notify Chess Telecom on
+44 (0)800 019 8900 immediately quoting the name of the sender, the email
address to which it has been sent and then delete it; you may not rely on its
contents nor copy/disclose it to anyone.
Opinions, conclusions and statements

Sha256 Hashes:
906f9284cedee5bb824c8a55321154efa518a0f66ea13502c0ae73aadd8fd7e7 [1]
e49e8048647106f944fba55f392f60030b90df3853bee47cf03fe7424a85acd9 [2]
d00c093350784fb7235eb4463dacaf0357ecc62408c28da07a971fb25f29848e [3]
b5ee8925742637a8484f6e1cb08a1c989cb4a8f9e66a8179c929dd789c07c06d [4]
99313f05213cdc82bf15abfe4120711e4ac7ea1d8da19e7c1a31e1114eb1d1c6 [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)
VirusTotal Report: [4] (detection 5/56)
VirusTotal Report: [5] (detection 5/56)


The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))


No comments: