Monday, 16 November 2015

2 Invoices Attached invoices_17080258.doc Metropolitan, An RR Donnelley Company

Description:


2 Invoices Attached invoices_17080258.doc macro malware from Metropolitan, An RR Donnelley Company

Headers:

From: Loris Louis {LouisLoris305@haffendencommunications.com.au}
Subject: 2 Invoices Attached

Message Body:

Good morning,


Please see the attached invoices and remit payment according to the terms listed at the bottom of the invoice.  If you have any questions please let us know.


Thank you!


Loris Louis
Accounting Specialist| Metropolitan, An RR Donnelley Company
Attachment filename(s):

invoices_17080258.doc

Sha256 Hashes:


05f245ab40af49e8c020dcb20f205f3ac483af720e94a3a8153ac7d1ba69fe39 [1]
1ca7fbd30789f36254743aa393a8dea6bf129d5d2d18317fe8e3f109626bcc8b
2299f8e1dbf0e794ef945b497d7ca7aa5f273af0d00fbd564e01bf321727a1e4
2b93286adf28fdc74c3a4fc4dba876ff369683793052e463120ed4597bb65740
2f51e826fbbf1ba4ac7aafc8a20d5b13575b4de8c30216488751c5aef9b1a42c
2fbc633647db3c882ea70075b665aef4f4518420d5378a141dd80da4707af06b
3cc91a2003cd40d6a90fa03cd247d8fc95881edba2ef8aac7ffade010c1a2989
42b0f3257a45607d690603cf6082b7df6bee0925bb39dd93d900ebb50ba93f7a
43fae108301f48ba2baf87ac98867971e0a17949b8cf9ac156e6e8ebec719804
4c4836f2579bfa023fa4de212b517132cc92c518b05936a9f88765b2a160b118
5d63b4e61146bab7e21c0b9df596ac50c4edf5eaa69608848b7bb41340ba31d1
5f0231e1380832f83f7de1aa8ec0870fc2a54544e9380cf75b12f58de7b8d663
6c86f4e75b953f7c3249a97a0ba58d870a9ffdb88afb0927f206b09dbc703458
6d623f20745702452c50c3674a11087405a67a5368ecec2aa58b72a2106b442d
817aad028388eb81d32c068d277d584f326a648d37e339c3090f1340532f5e1f
81c378ebef8226210fe4015cd6da6fd8d9a9c747f7ef1cb4213113d80431f1ad
8955121333f5d316ca2b77bc8246917bf083752bb033d72b51d2d60f56e496a0
b1b973410153e9aa9aae275fcceeaa57c026c63d7c6a26b70c2d38158cdffd7e
b2277956570bf0c6ad744e9254dfd9fb5a5c9ea92794e3b3844953d702be1075
b4ec4eca8c412bfb2f626167701077f5d2dfedd262fa770c6106775d6eacc169
b5143f23db24796afa4348795dd3868564536e0eb94030f5d35dadbe0c05c994
bbfb9f85b09ba93fafd007d237b82bbb123ba8aab53d2b22f5b7f833f75604e2
cbfcbb7631947e6b8700bd71669d11113873f08a7a4cded5a669f93edb8f6d3d
d5b7b58ae1bd70374200209c550ebabbacaa8b0df75bd70346da5f82bddbe08a
d9717b1541de35c43cbc7380018bfb991de77d41d3a7ad7a80d24db23f7b90f8
e636cbe9170f342dc2b67e3562446745e7b3162a127abb20ec8de1da0f691c38
ed30ad134a805bb5dedba07c229b2de8fc9504c958a23e6a7a114d0c299af238
ef3409bf701230af2bbc42fb2b21cd6f998607a209928bd01f32ce795c8ae774
f00bc4f8f7d88fb8866aa98d0eebebca0f2f1210745c33495f4caaf860dfe116
f0ecb767864db1c1ac17cf2afecb96ba760afdda0543a7e68981c34065c0bae2
f2f2cf8aca5081eefe3c9a23c4ad1ea9e3fde3dd5595f12d2f193f9f48ae517f
f8853fdd580fe86d3536bd0f08c2cbdc852bf7aa8bca5ed76f629d1e91d252f7
f989401966e8e25f707a8865afe7f20f1f3d5fc856cfbd1d7ff0fe1f55d373cc


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.25109.GenDocHeur.

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: