Monday, 26 October 2015

PHSOnline Your new PHS documents are attached

PHSOnline Your new PHS documents are attached macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "PHSOnline" {documents@phsonline.co.uk}
Subject: Your new PHS documents are attached
Message Body:
Delivery of new PHS document(s)
 
 
Dear Customer
 
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
 
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
 
Regards
 
PHS Group
 
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.



Attachment:
G-A0287580036267754265.doc
Sha256 Hashes:
11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1]
8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2]
e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

8 comments:

Anonymous said...

Today's scam email just arrived and immediately deleted. Is there no way these idiots can be stopped?

Anonymous said...

Yep, another one here just received it. IP address is from Turkey - Eser Telekom which is part of the Skylogic S.p.A. who provide satellite broadband services worldwide and are based in Turn in Italy.

Anonymous said...

Got my latest this morning from PHS. Wish these assholes would fall down a deep hole and disappear. 😊

Anonymous said...

I received this - and very stupidly clicked on the attachment as was very similar to an email that I was expecting.

Norton Premier 360 did not strip it out - v worried I now have malware downloaded.

Anonymous said...

Thank you for this information I very much appreciate it.

Julia McClelland said...

I just got one of these. Fortunately, I don't click on any links or open anything when I don't know who it is but go to their website to see who they are.

John Gonzalez said...

I received this today also. Looks like this goes out in a mass email. I always try to see where a suspicious email originates from before opening any type of link or attachment that I'm not expecting. I too would like to see them all fall into a deep deep hole.

lesm said...

If the mail does not have your name on it then there is a good chance it is a scam - in this mail they are sending you a personalised document but do not know your name....unlikely to be true, other then that a pretty good looking scam.