Monday, 2 November 2015

Margaret Wimperis Purchase Order 37087-POR PORDER.DOC

Description:


Margaret Wimperis Purchase Order 37087-POR PORDER.DOC macro malware.

Headers:

From: Margaret Wimperis {MargaretWimperis@biasbinding.com}
Subject: Purchase Order 37087-POR

Message Body:

Hi
Please confirm receipt of order
Kind regards
Margaret


-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of K. Stevens (Leicester) Ltd.

Attachment filename(s):

PORDER.DOC

Sha256 Hashes:


d997184e5277a9ede634999c6cfaea0d64f7009ff6727c71d58d9d676530ae5e [1]
fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 3/55)
VirusTotal Report: [2] (detection 3/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Wsc.New
phish.ndb: Sanesecurity.Malware.25722.MacroHeurGen.al2

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.



Cheers,
Steve

19 comments:

Karenhoffen said...

I've received this scam email. Thanks for posting this so I know I should delete it.

Anonymous said...

Thanks for this. Just received this email and ummed and ahhed about opening. Sent straight to junk and deleted.

Anonymous said...

Crazy, just received this at work and I'm a buyer so would NOT be receiving something like this so knew it probably wasn't right. Then found your post here after doing a quick search, thanks for this.

Anonymous said...

Same here. Just received this on 2nd November. As i was expecting a purchase confirmation I though about opening it. However, I thought I'd search Google for such an email and Hey, presto it is a scam.

Thanks for posting

JonoClouds said...

Yep, it's doing the rounds today! Got it 2 Nov 2015. Already in Thunderbird's junk mail box. I expect K Stevens (a genuine company) will be rather annoyed!

Matti said...

Thanks, just received that and your post was very helpful.

Unknown said...

Just got exactly the email. Never open links. Thought I would Google it. Glad I did

Anonymous said...

I opened this email BUT did not click on the attachment, and instead sent the email to the deleted folder. Will my computer be infected?

Thanks.

H.

Anonymous said...

i stupidly opened it but done various scans and it hasn't detected anything yet,am i infected how will i know

Ted Willis said...

I never open unexpected docs but clicked on this doc not thinking, as I was on the phone in the middle of expecting an online receipt. The macro's in the doc were disabled so presumably I haven't caused any damage. I immediatley disconnected and ran Hitman Pro, and Malwarebytes on the doc, which didn't find any threat ! so I googled and ended up here.

I've deleted the doc securely with an IOBIT file shredder in accordnace with fancy US standards, but it's got me thinking why nothing picked up the threat , and more importantly what would have ?

any comments please ?

Anonymous said...

We received it this morning. Knew it couldn't be right as we're a courier company & don't have a lot of use for bias binding tape!

Steve Basford said...

Just doing a quick check now and looks like the NOD32 online scanner should be picking up the exe file (if it's been downloaded)...

So, worth running...

https://www.eset.com/us/online-scanner/

Anonymous said...

Ive downloaded it from my phone and tablet both msg are empty but im worried now. I opened it as have ordered yhings over the weekend and thought it was a receipt what can i do now?

DH said...

I got this today (2nd Nov) and checked it here so thanks for that. I was already suspicious, hence the search.

Anonymous said...

Yep I just got this morning.

Anonymous said...

I opened it on my Mac as I was expecting a receipt. Will it affect me?

AnonDog said...

SHA256: 68f12af8b55d1af4010626fdc95e23a29442776a045b8ed596041faec7990830
100% FUD from AV!!

Anonymous said...

So glad I googled this before opening attachment. Thanks for posting.
These scammers seem to put a lot of work into what they do...obviously they get rewarded or they would stop which leads me to believe there are some people out there who actually are vulnerable and fall for it. NEVER OPEN AN ATTACHMENT FROM SOMEONE YOU DO NOT KNOW.

Anonymous said...

I got this one on Monday also but unfortunately clicked on attachment. I googled the company name & found they have a warning on their website. i ran a full scan immediately & a threat was found & neutralized/deleted. i have just received another one today(a supposed invoice from Posei in Australia) didn't open this one but have run the scan again anyway.waiting for results. i have found out that my colleague has received both of these as well & he's scanning now also.