Thursday, 28 May 2015

Rachel.Hopkinson anixter.com 212-B59329-23A - Chasing delivery

 Rachel.Hopkinson anixter.com 212-B59329-23A - Chasing delivery macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

Subject: 212-B59329-23A - Chasing delivery
From: {Rachel.Hopkinson@anixter.com}

Message Body:
Good Morning

The order below was sent over 28/05/15 (please do not duplicate).  I am still waiting for delivery on line 002 for 18 pieces

Please could you advise when delivery will be as we need the goods urgently

Thanks

Rachel
Company logo
  Rachel Hopkinson
 Contracts Buyer
 Central Purchasing Department
 Anixter Ind (Wire & Cable OEM Solutions)
 Brimington Road North
 Chesterfield, Derbyshire
 S41 9BE
 tel: +44 (0)1246 459317
 fax: +44 (0)1246 459348
 
rachel.hopkinson@anixter.com
 
www.anixter.com

 Attachment:
RR1A240D.doc
Sha256 Hashes:
137482cd15168aa55ea85c002e495a85d5065625812f224112c076737e31720c [1]
e6fc2311ad49c5e6ae3ffa0640ef8ce85bd5c4554a77cb55ba7a6a77bb64204b [2]
33af46478e4d24a3c47678b846f370ac7b10c2e7588bb048d272c077e9f6c892 [3]
18f47e0a1a328bd53e908d85652890819b59fbb9586b251d92fe9c55a53425b5 [4]
3a1cd4d19bd7e366994eab61f2d6402e12d5720ca1cd29a788c9a72b51b71bfa [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 2/57)
VirusTotal Report: [2] (detection 2/57)
VirusTotal Report: [3] (detection 2/57)
VirusTotal Report: [4] (detection 2/57)
VirusTotal Report: [5] (detection 2/57)


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 26 May 2015

Your Invoice (ref: INV232654) from thomsonlocal Pleasedonotreply@thomsonlocal.com

Your Invoice (ref: INV232654) from thomsonlocal Pleasedonotreply@thomsonlocal.com  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: {Pleasedonotreply@thomsonlocal.com}
Subject: Your Invoice (ref: INV232654) from thomsonlocal

Message Body:
 
Thomson Local. Unblock your images   Click here to log in to your account:
Customer Number 4146878
Order Number 100030638
 
unblock your images for more information  
 
Have a question?
Please visit our help forum or contact the team at thomsonlocal:
01252 555 555
Mon to Fri 8.30am - 5.30pm
Email: info@thomsonlocal.com
 
 
Dear Sir/Madam,

Please find attached your Invoice following your recent order or amendment with thomsonlocal.

Should you have any queries regarding your invoice, please contact our Customer Services team on 01252 555 555. Alternatively you can email us at info@thomsonlocal.com

Thank you for choosing thomsonlocal.

Yours sincerely,
 
Head of Customer Services and Sales Support
thomsonlocal

 Attachment:
Invoice INV232654.doc
Sha256 Hashes:
862d16e4d3ae8bc6902f8afb5fc434f72017cf4e7c67fdbb8287a99ea65c43d3 [1]
24b5c4a7d2a1db677fa8b3cb5ceb6c1f33ab2f93327bb96b78abca4e0756932d [2]
7e11030e3be7a4fabb91cc2c8757a16ffe6c2484bdfad16ed1ae9762a3dd0e91 [3]
109af76d26e3f2677fadf4f16074880d26173ff1ff4a7231e4af54c2025ac292 [4]
338df2f3f6dd18ed8387f80e1d79669f088d3009e11c6cd8361d41fe5a85021b [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 2/57)
VirusTotal Report: [2] (detection 2/57)
VirusTotal Report: [3] (detection 2/57)
VirusTotal Report: [4] (detection 2/57)
VirusTotal Report: [5] (detection 2/57)


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Blank 11 hannah.e.righton@gmail.com

Blank 11 hannah.e.righton@gmail.com macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: hannah.e.righton@gmail.com
Subject: Blank 11

Message Body:
N/A

 Attachment:
Blank 11.doc
Sha256 Hashes:
862d16e4d3ae8bc6902f8afb5fc434f72017cf4e7c67fdbb8287a99ea65c43d3 [1]
24b5c4a7d2a1db677fa8b3cb5ceb6c1f33ab2f93327bb96b78abca4e0756932d [2]
7e11030e3be7a4fabb91cc2c8757a16ffe6c2484bdfad16ed1ae9762a3dd0e91 [3]
109af76d26e3f2677fadf4f16074880d26173ff1ff4a7231e4af54c2025ac292 [4]
338df2f3f6dd18ed8387f80e1d79669f088d3009e11c6cd8361d41fe5a85021b [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 2/57)
VirusTotal Report: [2] (detection 2/57)
VirusTotal Report: [3] (detection 2/57)
VirusTotal Report: [4] (detection 2/57)
VirusTotal Report: [5] (detection 2/57)


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Friday, 22 May 2015

Your Invoice IN278577 from Out of Eden

Your Invoice IN278577 from Out of EdenInvoice IN278577 (emailed 2015-05-21).doc  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "sales@outofeden.co.uk" {sales@outofeden.co.uk}
Subject: Your Invoice IN278577 from Out of Eden


Message Body:
Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email sales@outofeden.co.uk or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products
www.outofeden.co.uk

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
Email: sales@outofeden.co.uk
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081

The information contained in this e-mail is intended only for the personal and confidential use of the designated recipient or recipients named above and may contain confidential or privileged information.  If the reader of this message is not the intended recipient, you are hereby notified that you have received this message in error and that any review, re-transmission, dissemination, distribution, copying, or other use of, or taking of any action in reliance upon this message or any attachments to this message, is strictly prohibited.  If you have received this e-mail message in error, please notify the sender immediately and delete the material from all computers


 Attachment:
Invoice IN278577 (emailed 2015-05-21).doc
Sha256 Hashes:
bf0a29230533f68ae2aa5bf6725cf8012c9fa937aaaa54c0f73d03b3ea29e55b [1]
7f348f03207df2d6b106449c67b4515c89405b1ebff769ca9a06b8752540b349 [2]
67c9743d34f71a0cece563f93bcc0270dcd0dbe6725dee05fea4f2e7cc9cb298 [3]
a694a80f0870e268de6300b565e65d8273565320aa57b1e70d91060ded260478 [4]
b161889bdad4a9d6eac719329185eef5aaba7910ac7d9bebed72b8437afee4d8 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 1/57)
VirusTotal Report: [2] (detection 1/57)
VirusTotal Report: [3] (detection 1/57)
VirusTotal Report: [4] (detection 1/57)
VirusTotal Report: [5] (detection 1/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Thursday, 21 May 2015

caravanclub Travel order confirmation 0300202959

Travel order confirmation 0300202959 overseastravel@caravanclub.co.uk Travel Order Confirmation - 0300202959.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: {overseastravel@caravanclub.co.uk}
Subject: Travel order confirmation 0300202959

Message Body:
Dear Customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Now you have booked your trip why not let The Club help you make the most of your stay?
Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .

Yours sincerely

The Caravan Club

This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
Regulation
The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890

This email is sent from the offices of The Caravan Club Limited, a company limited by guarantee (Registered in England No 00646027). The registered office and correspondence address is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.

WARNING – This email and any files transmitted with it are confidential and may also be privileged. If you are not the intended recipient, you should not copy, forward or use any part of it or disclose its contents to any person. If you have received it in error please notify the sender immediately. This email and any automatic copies should be deleted after you have contacted the sender.

Regulation
The Caravan Club is authorised and regulated by The Financial Conduct Authority. Financial Services Register No. 311890
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

 Attachment:
000001.DOC
Sha256 Hashes:
7435b4478e8c0bf3fef5fdf43998e5ba4ce646a03376ad2c278399437c5185e5 [1]
98712318c06140de8249b5d9afe864bb76e964014457154b6edbc7b206f0079e [2]
2329f4c39d28c17436303cd237772885b58101d810bf07a6107f8c89f4f1d55f [3]
c85b4fd1dc7e487995d975d9146ba7d85566bfbbe283e6af692643517eaaa2ef  [4]
89ea1a037e5854d4044086621196b3c3de8a08359a15213f29d71995fc97c0bd [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/57)
VirusTotal Report: [2] (detection 4/57)
VirusTotal Report: [3] (detection 4/57)
VirusTotal Report: [4] (detection 4/57)
VirusTotal Report: [5] (detection 4/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Invoice# 2976361 PGOMEZ POLYAIR.CO.UK

Invoice# 2976361 Attached PGOMEZ@POLYAIR.CO.UK 000001.DOC macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: PGOMEZ@POLYAIR.CO.UK
Subject: Invoice# 2976361 Attached

Message Body:
Invoice Attached - please confirm..

This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.


 Attachment:
000001.DOC
Sha256 Hashes:
7435b4478e8c0bf3fef5fdf43998e5ba4ce646a03376ad2c278399437c5185e5 [1]
98712318c06140de8249b5d9afe864bb76e964014457154b6edbc7b206f0079e [2]
2329f4c39d28c17436303cd237772885b58101d810bf07a6107f8c89f4f1d55f [3]
c85b4fd1dc7e487995d975d9146ba7d85566bfbbe283e6af692643517eaaa2ef  [4]
89ea1a037e5854d4044086621196b3c3de8a08359a15213f29d71995fc97c0bd [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/57)
VirusTotal Report: [2] (detection 4/57)
VirusTotal Report: [3] (detection 4/57)
VirusTotal Report: [4] (detection 4/57)
VirusTotal Report: [5] (detection 4/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 19 May 2015

various fake vat tax emails

Various fake vat tax emails are with a zip attachment...

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
Subject: adjustment alert
Subject: adjustment notification
Subject: adjustment report
Subject: change guidance
Subject: change notice
Subject: Custom adjustment guidance
Subject: Custom adjustment notice
Subject: Custom change notice
Subject: Custom change report
Subject: Custom increase guidance
Subject: Custom increase reminder
Subject: Custom increase report
Subject: Duties adjustment guidance
Subject: Duties adjustment notification
Subject: Duties change notice
Subject: Duties change notification
Subject: Duties change reminder
Subject: Duties change reminder 
Subject: Duties change report
Subject: Duties increase guidance
Subject: Duties increase notice
Subject: Duties increase notification
Subject: Duties increase report
Subject: increase alert
Subject: increase report
Subject: Levy adjustment alert
Subject: Levy adjustment guidance
Subject: Levy adjustment notice
Subject: Levy adjustment report
Subject: Levy change alert
Subject: Levy change guidance
Subject: Levy change notice
Subject: Levy increase alert
Subject: Levy increase guidance
Subject: Levy increase notice
Subject: Levy increase reminder
Subject: Tax adjustment guidance
Subject: Tax adjustment report
Subject: Tax change alert
Subject: Tax change reminder
Subject: Tax change report
Subject: Tax increase notification
Subject: Tax increase report
Subject: Toll adjustment alert
Subject: Toll adjustment notice
Subject: Toll change alert
Subject: Toll change notification
Subject: Toll increase reminder
Message Body:
Please be informed that VAT decreases before Monday.
Observe the document attached.
Do not forget that money to be settled to the government will be reevaluated.

Anna Adams
Senior Consultant
--
Be noted that VAT increases on Thursday.
View the document enclosed.
Note that fees to be settled to the state are going to be reestimated.

Diane Smith
Tax authority
--
Be warned that VAT alters from Monday.
See the document attached.
Remeber that tax amounts to be paid to the treasury are going to be reevaluated.

Jessica Jones
Chief accountant
--
Be noted that VAT doubles before Friday.
See the document attached.
Remeber that tax amounts to be paid to the government are going to be reestimated.

Jessica Adams
Tax Consultant
--
Please be informed that VAT increases before Thursday.
View the act enclosed.
Do not forget that money to be settled to the treasury are going to be reevaluated.

Jessica Lewis
Tax authority
--
Please be informed that VAT alters from Tuesday.
View the document below.
Remeber that sums to be settled to the tax authorities have to be reevaluated.

Sarah Jones
Tax Consultant
--
We inform you that VAT rises from Thursday.
See the act attached.
Note that money to be settled to the tax authorities are going to be reevaluated.

Susan Smith
Senior Consultant


Attached to the message is a Zip file:
Doc#433806.zip
Inside the Zip file is a Windows Executable file:
 fax2_info.exe

Sha256 Hashes:
0dada1e40d90c28f50b5fcba3ca39ddccb650be4e5cee3e12f49544eb6fc92b2 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]
Cheers,
Steve

Monday, 18 May 2015

picture message mediamessaging.o2.co.uk

picture message mediamessaging.o2.co.uk macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: {+447711886613@mediamessaging.o2.co.uk}
Subject: 
Message Body:
Hello,

Here's a picture message you've been sent from 07711888963.

You can send a message back from your mobile phone. But don't reply to
this
email.

Thanks,
 Attachment:
PM8963.doc
Sha256 Hashes:
73632eaa1e787944b0a3861e6193806c5d6c940f4baee44a3416092161937cd6 [1]
0707a5113d517fc1f96784173bc3865521a448ea48e2347e76d63e9cb0752a75 [2]
bd7bc65210e10a7b094cbb9f92f97dac3d6a286b13edeb6a74d2c9bc1a91c2b4 [3]
78a9588d7eaf6917a67e86046dce1614a182990a3d2fc65991cb42fc56a18ec2 [4]
d8bc596396bbe950d962b47f496b790d6460a3f6dbad239357188a3bfc6a3d6f [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)
VirusTotal Report: [4] (detection 3/57)
VirusTotal Report: [5] (detection 3/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]




Sanesecurity Signatures: detected as Sanesecurity.Malware.24945.MacroHeurGen.R1

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Order Details 89920-02119-38881-73110 Amazon ORD-89920-02119-38881-73110.doc

Order Details 89920-02119-38881-73110 Amazon
ORD-89920-02119-38881-73110.doc  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Amazon.co.uk" {order@anazon.co.uk}
Subject: Order Details 89920-02119-38881-73110
Message Body:

Good afternoon,,

Thank you for your order. We?ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.

Order Details

89920-02119-38881-73110 Placed on May 17, 2015
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk


 Attachment:
ORD-89920-02119-38881-73110.doc
Sha256 Hashes:
73632eaa1e787944b0a3861e6193806c5d6c940f4baee44a3416092161937cd6 [1]
0707a5113d517fc1f96784173bc3865521a448ea48e2347e76d63e9cb0752a75 [2]
bd7bc65210e10a7b094cbb9f92f97dac3d6a286b13edeb6a74d2c9bc1a91c2b4 [3]
78a9588d7eaf6917a67e86046dce1614a182990a3d2fc65991cb42fc56a18ec2 [4]
d8bc596396bbe950d962b47f496b790d6460a3f6dbad239357188a3bfc6a3d6f [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)
VirusTotal Report: [4] (detection 3/57)
VirusTotal Report: [5] (detection 3/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]




Sanesecurity Signatures: detected as Sanesecurity.Malware.24945.MacroHeurGen.R1

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Friday, 15 May 2015

Self Bill SB026336 Attached Reliance Scrap Metal

Self Bill SB026336 Attached Reliance Scrap Metal  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Reliance Scrap Metal" {enquiries@reliancescrapmetal.com}
Subject: Self Bill SB026336 Attached.
Message Body:
Please Find Enclosed Self Bill Number SB026336 Dated 07/05/2015


C Phillips
enquiries@reliancescrapmetal.com


 Attachment:
Attachment.doc
Sha256 Hashes:
 ac9ed15b125fd785ee42419f80017701f08ab7d06adbbf46cf74081a3666c72d [1]
d1cf74b427898edc8b40635cee52d5b5df593a0e62714b36d09e01b2dbaed704 [2]
 65ad508855b19d4f00ca11fe197b1372068c2e0946deb57c8cacb61da4305d43 [3]
 c1c7dd7453f5ccfa9bb2004a16235f255eb24bd8db177c7b22fa11585f218ef7 [4]
be55fc938fec43937dbfd13058447a27974e81a0b981100e7511df8616359319 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)
VirusTotal Report: [4] (detection 3/57)
VirusTotal Report: [5] (detection 3/57)

Sanesecurity Signatures: detected as Sanesecurity.Malware.24946.MacroHeurGen.RB

Hybrid Analysis: [1]
Hybrid Analysis: [2]
Hybrid Analysis: [3]
Hybrid Analysis: [4]
Hybrid Analysis: [5]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Wednesday, 13 May 2015

Invoice #00044105 From Deluxebase Ltd Anna ESale.doc

Invoice #00044105; From Deluxebase Ltd Anna ESale.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: Anna {anna@deluxebase.com}
Subject: Invoice #00044105; From Deluxebase Ltd
Message Body:
Hello

Thank you for your order which has been dispatched, please find an invoice for the goods attached.
Please contact us immediately if you are unable to detach or download your Invoice.
As a valued customer we look forward to your continued business.

Regards
Accounts Department
Deluxebase Ltd
UK Phone:                          01482 880050
UK Fax:                               01482 883225
International Phone:        +44 1482 880050
International Fax:             +44 1482 883225
accounts@deluxebase.com
www.deluxebase.com

 Attachment:
ESale.doc
Sha256 Hashes:
a122d265b18b02c85e2d079c48b49480540551cc366f0cc9b97ecde42dafbeba [1]
ac03ca98f08fabda0ff621cca4cd33190549c2c429314e231627a70aed39e532 [2]
98ac338c46ce0e4686a3b4e75f39f29ad4e4903cfba3d41cd0402a0f9e5f51e8 [3]
0954786f2d01103b9a01e23dc1e91ebc3857d2f87bee376d47386169816adcde [4]
7f57dc1d3abd0f7240a92e34a07a46cdf1b3f8c8b60b4bbbafd348cfd893237f [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/57)
VirusTotal Report: [2] (detection 5/57)
VirusTotal Report: [3] (detection 5/57)
VirusTotal Report: [4] (detection 5/57)
VirusTotal Report: [5] (detection 5/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 12 May 2015

Copy of your 123-reg invoice ( 123-015309323 )

Copy of your 123-reg invoice ( 123-015309323 ) 123-reg-invoice.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: no-reply@123-reg.co.uk
Subject: Copy of your 123-reg invoice ( 123-015309323 )
Message Body:
Hi,
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
https://www.123-reg.co.uk

 Attachment:
123-reg-invoice.doc
Sha256 Hashes:
4baef401edc96a5e777724dbfded6ad5536f5badc88ec8f9c42c8dc35d201ba8 [1]
f436060dd8b6fe6c97806a8420b08c78e92dd73abf9800acdd020ececfd88b0d [2]
5dfc72d5f818a89a52ab075db425ae1002ce1c3ef783674ed41c0a04226fc300 [3]
2fbcc777f212d3e512466a5a90083076871b54f2bdaf465c1c39f5c5a030c3bb [4]
c4b2b910439cd09b68f60ba5790a1257e037471c7764e98647977a745bdbb80e [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/57)
VirusTotal Report: [2] (detection 5/57)
VirusTotal Report: [3] (detection 5/57)
VirusTotal Report: [4] (detection 5/57)
VirusTotal Report: [5] (detection 5/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Monday, 11 May 2015

mereway kitchens Delivery Confirmation

mereway kitchens Delivery Confirmation  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "mereway kitchens" {sales.north@mereway.co.uk}
Subject: Delivery Confirmation
Message Body:
Delivery Confirmation

 Attachment:
K-DELC-28279.doc
Sha256 Hashes:
8601451d53e04547fbd66b2972a819846e174af3bc0b6d243fae2a62f59da123 [1]
6a4e3e922e71bf074739c2c533f8f42ba162e0112f063aa971d104b2ccb1864a  [2]
555a41cf648879b6814eacde185e9186fd4c9d04ba8656be44deef91bce48589 [3]
982f5dec64529887bdb1c1f1fc055b6f3588a4cd22852cfc4b8ade242e9fe847 [4]
375d9b2814815affc55631df780e9a64324d3848dc174e7a326de9702394efa1 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)
VirusTotal Report: [4] (detection 3/57)
VirusTotal Report: [5] (detection 3/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Friday, 8 May 2015

Rebecca De Mulder Scanned tickets Milestone Holdings

Rebecca De Mulder Scanned tickets Milestone Holdings macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: Rebecca De Mulder {milestoneholdings@yahoo.co.uk}
Subject: Scanned tickets
Message Body:
Afternoon

Attached are the tickets  you have requested




Kinds Regards kath
Milestone Holdings
Tel:   01676 541133
Mob: 07976 440015


 Attachment:
scan0079.xls
Sha256 Hashes:
00eac4d37ff73e54eb9e7fa131bc44382819ef3100c8e37ff5411bbe48c8ee3b [1]
e89f1ae146aa47bbf5aff559d19b3a91453ef174759a3c4bb2a67c809f6e22c0  [2]
22188c90daec9804d7b648f4bd10ceb9950b8ed4eb67a2c62eccf104083b111b  [3]
01d2cee3230121d5ae785c2c0d96144db0402039d30e5e548196c8327473b7f7 [4]
dd7a69629cc7c0c975bdc18eee9e7b6c38e846854e6ac01900aa0d1ae332fe62  [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)
VirusTotal Report: [4] (detection 3/57)
VirusTotal Report: [5] (detection 3/57)

Malwr Report: [1]
Malwr Report: [2]
Malwr Report: [3]
Malwr Report: [4]
Malwr Report: [5]

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve