Friday, 27 November 2015

Ivan Jarman Sportsafe Invoice S-INV-BROOKSTRO1-476006.doc

Description:

Ivan Jarman Sportsafe Invoice S-INV-BROOKSTRO1-476006.doc macro malware.

Headers:

From: Ivan Jarman {IJarman@sportsafeuk.com}
Subject: Invoice
Message Body:

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ

Telephone 01206 795265
Fax 01206 795284

Attachment filename(s):


S-INV-BROOKSTRO1-476006.doc

Sha256 Hashes:

4f7848518acd8847a6fc4f87ca7a20ef502641426ae1bb1353df989a8edc076d [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 0/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Badmacro.Doc.url2f

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Aline: Tax Invoice #40525 Bruce Sharpe alinepumps.com

Description:

Aline: Tax Invoice #40525 Bruce Sharpe alinepumps.com Tax Invoice_40525_1354763307792.doc macro malware.

Headers:

From: Bruce Sharpe {bruce@alinepumps.com}
Subject: Aline: Tax Invoice #40525
Message Body:

Good day,

Please find attached Tax Invoice as requested.

Many thanks for your call.

Bruce Sharpe.

Attachment filename(s):


Tax Invoice_40525_1354763307792.doc

Sha256 Hashes:

feb034075eb65662db187dff2e4441740a62609cec23786854acdebeedc903d5 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Badmacro.Doc.url2f

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Thursday, 26 November 2015

Lucie Newlove Invoice Document SI528880

Description:


Lucie Newlove Invoice Document SI528880 SI528880.xls macro malware.

Headers:

From: Lucie Newlove {lucie@hiderfoods.co.uk}
Subject: Invoice Document SI528880
Message Body:

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

Attachment filename(s):


SI528880.xls

Sha256 Hashes:

1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052 [1]
914ee1830e7ab60764623e78a03a27af0c362ee236a866a901b0547d60f8a5c1 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)
VirusTotal Report: [2] (detection 2/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Your car rental invoice from Avis, No. E947168460

Description:


Your car rental invoice from Avis, No. E947168460 macro malware.

Headers:

From: {noreply@avis-billing.com}
Subject: Your car rental invoice from Avis, No. E947168460

Message Body:

 
Avis

Your Avis invoice(s)

Dear Customer

Please find attached your Avis invoice(s)

If you cannot see the attachment(s), please click here.
If you would like to speak to a member of our customer service team about your experience, please call us on 0844 544 6666 or email us at corporate@avis.co.uk.
Would Minicom users 18002 please contact us on 0844 544 5534 where we will be happy to deal with any query?
To make another reservation, please visit our website at www.avis.co.uk.
We look forward to seeing you again soon,
Avis Rent A Car Ltd

Attachment filename(s):


E947168460_20141211_119845517.xls

Sha256 Hashes:

1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052 [1]
914ee1830e7ab60764623e78a03a27af0c362ee236a866a901b0547d60f8a5c1 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)
VirusTotal Report: [2] (detection 2/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Deborah Briggs E Payment Fred's Super Dollar

Description:


Deborah Briggs E  Payment Fred's Super Dollar  macro malware.

Headers:

From: "Deborah Briggs" {rona@ronacushley.co.uk}
Subject: E  Payment

Message Body:

Please review the payment confirmation attached to this message. The Transaction should appear on your account in 2 days.

Deborah Briggs
Finance Director/CFO
Fred's Super Dollar/Fred's, Inc.
Attachment filename(s):

YU8D01E66R.doc

Sha256 Hashes:

8fd948f4a795cc63db89feb9f288e90ff78fc66b5a590eee3a5ac0ea324316e4 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection ?/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.appact2

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Tuesday, 24 November 2015

Dridex Macro Malware Summary

Here's a quick summary so far of the last 24 hours of Dridex Macro Malware and how Sanesecurity ClamAV (badmacro.ndb) detected them...



Blue and Red lines are Dridex Macros being blocked.

Now compare the above samples submitted within 5 minutes of them arriving... to VirusTotal
(as a simple guide to detection rates obviously):

detection: 6/54
https://www.virustotal.com/file/eedcabef646f97e4195f4ab5b6d52286be283af9bc09533707916b5c09c36df1/analysis/
--
detection: 6/53
https://www.virustotal.com/file/a1a2faf81e94c610da043931dc3dfc37f82052e531559fbd13205cb20b880428/analysis/
--
detection: 6/53
https://www.virustotal.com/file/bf428c6d82fed22d5fd2ad3623ea10317572f69301ecb0d891e322557e52512b/analysis/
--
detection: 6/54
https://www.virustotal.com/file/96b8d9fe171f1bcfec4455c6616e6bfe117b5f838750585401d2a8b78827e7d4/analysis/
--
detection: 5/55
https://www.virustotal.com/file/ce237587231a119c6924b78da78fc6e79e35af37818c20dc9bba09bf07016629/analysis/
--
detection: 7/53
https://www.virustotal.com/file/2db0ae3ad5f38c6ff39be773811c123278fd12a9954bfa0074d8da2d91d793af/analysis/
--
detection: 6/54
https://www.virustotal.com/file/6c632bc22749fae9e4c22d3fb365111ac3d31b74dcbf2bec2de96fe9a9f2cc80/analysis/
--
detection: 6/55
https://www.virustotal.com/file/4b2166b3affb04bcbe4c743b5cb932ff4e368f01d5d0bcbae0ba8e025cc38b24/analysis/
--
detection: 4/55
https://www.virustotal.com/file/1e472a0437b2c7a0e8d13100e1b0d1bbfb6585a6b3eed40f1368d48d1ebba7cf/analysis/
--
detection: 5/55
https://www.virustotal.com/file/bc40a1245751bc5dce50ec0b8a153fd47d84a817a3bd206aa9711e79a4c08f51/analysis/
--
detection: 6/55
https://www.virustotal.com/file/c73476f6d3a076c8c330ec84b12ea4c6b2b6a526e968af940bbf2ace57a7bce3/analysis/
--
detection: 5/56
https://www.virustotal.com/file/450d4118062fbd9f7d21e6225d68418b2b142e11d2421ea352d31baeab1b94c5/analysis/
--
detection: 6/56
https://www.virustotal.com/file/8f2ad887047b224900e7cfe4527d907d47b50d64fe507c95a031c6ee3ee58d81/analysis/
--
detection: 3/55
https://www.virustotal.com/file/dd512875c5fc3a1040b7aaf7493274ee66573c118e536f0863ff3dc888a2eeb5/analysis/
--
detection: 3/55
https://www.virustotal.com/file/44496278c26f794a59178c0aa07c8f71e783861c6b53c2ee0a5fbbdf549163a0/analysis/
--
detection: 3/56
https://www.virustotal.com/file/d4e2ce1ad86ab80f4995ca4b204607f5b47a4aa3601f1c0dba94c1c1969a4462/analysis/


Cheers,

Steve
Sanesecurity.com

Abcam Despatch [CCE5303255] macro malware

Description:


Abcam Despatch [CCE5303255] macro malware.

Headers:

From: orders@abcam.com
Subject: Abcam Despatch [CCE5303255]

Message Body:

Dear customer
The confirmation invoice for order 1366976 is attached.

Please let me know if you need any other paperwork.



Best regards,
Nimisha

Nimisha Patel
Marketing Assistant
Abcam plc
www.abcam.com
Attachment filename(s):

invoice_1366976_08-01-13.xls

Sha256 Hashes:

8f2ad887047b224900e7cfe4527d907d47b50d64fe507c95a031c6ee3ee58d81 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection ?/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

IMPORTANT! U.S. Treasury Department FEDERAL RESERVE BANK

Description:


IMPORTANT! U.S. Treasury Department FEDERAL RESERVE BANK macro malware.

Headers:

From: "FEDERAL RESERVE BANK" {administration@federalreserve.com}
Subject: IMPORTANT! U.S. Treasury Department.

Message Body:

Important:
You are getting this letter in connection with new directive No. 172390635 issued by U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC). The directive concerns U.S. Federal Wire and ACH online payments.
We regret to inform you that from 11/24/2015 till 11/27/2015 definite restrictions will be applied to all Federal Wire and ACH online transactions.
It's essential to know all the restrictions and the list of affected institutions. The process of working with online transactions is mostly very tense, so it's possible to overlook the applied restrictions, that may be very important for you.
More detailed information regarding the affected institutions and U.S. Treasury Department restrictions is contained in the attached document.
Federal Reserve Bank System Administration
Attachment filename(s):

juniorbeco_06711D233A9.xls

Sha256 Hashes:

dd512875c5fc3a1040b7aaf7493274ee66573c118e536f0863ff3dc888a2eeb5 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection ?/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Melissa O'Neill Scan as requested newhopecare.co.uk

Description:


Melissa O'Neill Scan as requested newhopecare.co.uk macro malware.

Headers:

From: "Melissa O'Neill" {adminoldbury@newhopecare.co.uk}
Subject: Scan as requested

Message Body:

Regards

Paulette Riley
Administrator
New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE
tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104

* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *
 
 
 
This is an email from New Hope Specialst Care Ltd. The information contained within this message is 
intended for the addressee only and may contain confidential and/or privilege information. If you are not
 the intended recipient you may not peruse, use, disseminate, distribute or copy this message. 
If you have received this message in error please notify the sender immediately by email or telephone 
and either return or destroy the original message. New Hope Specialsit Care Ltd accept no responsibility
 for any changes made to this message after it has been sent by the original author. The views contained
 herein do not necessarily represent the views of New Hope Specialist Care Ltd This email or any of its
 attachments may contain data that falls within the scope of the Data Protection Acts. You must ensure
 that handling or processing of such data by you is fully compliant with the terms and provisions of the 
Data Protection Act 1984 and 1988

Attachment filename(s):

20151009144829748.doc

Sha256 Hashes:

eedcabef646f97e4195f4ab5b6d52286be283af9bc09533707916b5c09c36df1 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Wsc.New

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Monday, 23 November 2015

UKMail 988271023 tracking information malware 988271023-PRCL.doc

Description:


UKMail 988271023 tracking information 988271023-PRCL.doc macro malware.

Headers:

From: no-reply@ukmail.com
Subject: UKMail 988271023 tracking information

Message Body:

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

Attachment filename(s):

988271023-PRCL.doc

Sha256 Hashes:

6603200a923e20ed9e2775eabbb518d6e33d0ccf3dfc4c2d409e259e2fcd41b4 [1]
8e2d48a763b0fdfa61a2af12b69a6babe859c4c6347211c6e43f52b5236a914e [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)
VirusTotal Report: [2] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Employee Documents Internal Use Employee Documents(1928).xls

Description:


Employee Documents Internal Use Employee Documents(1928).xls macro malware.

Headers:

From: HR@
Subject: Employee Documents Internal Use

Message Body:

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: [Link removed]

???????????????????????????
This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply
email and delete the message and any attachments.

Attachment filename(s):

Employee Documents(1928).xls

Sha256 Hashes:

319f8860a2f3fd2ca3be7a94795e75aa78e3f8fb92bc16e03be6f424323d7960 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Friday, 20 November 2015

tracey.beedles@eurocarparts.com Reprint Document archive pmB3A6.doc

Description:


tracey.beedles@eurocarparts.com Reprint Document archive pmB3A6.doc macro malware.

Headers:

From: tracey.beedles@eurocarparts.com
To: enquiries@newburydata.co.uk
Subject: Reprint Document archive

Message Body:

Attached is a Print Manager form.
Format = Word Document Format File (DOC)

Attachment filename(s):

pmB3A6.doc

Sha256 Hashes:

67f9ffa67510de96027dcc3b87a304700038460c125ba0bb005abbdb7a5ac07a [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Wsc.New

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Jean Pierre Kibungu 0150363108788101_02416060_1.xls

Description:


Jean Pierre Kibungu 0150363108788101_02416060_1.xls macro malware.

Headers:

Subject: 0150363108788101_02416060_1.xls
From: Jean Pierre Kibungu {jpie.kibungu@

Message Body:

Please find attached the swift of the transfer of $30000.

Kind regards
Jean Pierre Kibungu

Attachment filename(s):

0150363108788101_02416060_1.xls

Sha256 Hashes:

faa956e81d835ed3f50f67a2d32e1151a74780d2f21033f6b146f95a1a98e5ce [1]
e9d4132e9e99e946d8805a824a61f9a624aa0ffc26c2aa5b5a7383edee0a2043 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)
VirusTotal Report: [2] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Thursday, 19 November 2015

Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]

Description:


Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118] The Postcode Anywhere Team EDMUN11118_181859.xls macro malware.

Headers:

From: support@postcodeanywhere.com
Subject: Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]

Message Body:


Thanks for your order!

Your payment was successfully processed and £120.00 was debited from your Visa card on 19 November 2015 (authorisation code: AUTH CODE:008018).. Thank you for your business, we appreciate it. Please find your VAT receipt attached for your records. Please retain this in case of any queries.


Your service is ready to use.

Account balance topped up: £100.00 credit added
Kind Regards
The Postcode Anywhere Team
For help and support call:
Support: 0800 047 0493
Sales: 0800 047 0495
International: +44 1905 888 550





Attachment filename(s):


EDMUN11118_181859.xls

Sha256 Hashes:

3e8698c52b6469a78b34a45d504e75beb866c2ccd3a273eb116a0bd342ecc5cb [1]
c9156e6e1b42cd070d4b962082c6bbeaef03992458ae85cb3a277866d2402897 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 7/55)
VirusTotal Report: [2] (detection 7/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Your Google invoice is ready billing-noreply@google.com 1630884720.doc

Description:


Your Google invoice is ready billing-noreply@google.com 1630884720.doc macro malware.

Headers:

From: {billing-noreply@google.com}
Subject: Your Google invoice is ready

Message Body:

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806


Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team


--------------------------
Billing ID: 0349-7974-3806

Attachment filename(s):


1630884720.doc

Sha256 Hashes:

cb871f369af456832fde855b437d109a5eb4885281dde26dd80cb73db4a223db [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 3/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Wsc.New

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

[Shipping notification] N8432023 (PB UK) cevalogistics.com shipping-notification.xls

Description:


[Shipping notification] N8432023 (PB UK) cevalogistics.com shipping-notification.xls macro malware.

Headers:

From: noreply@cevalogistics.com
Subject: [Shipping notification] N8432023 (PB UK)

Message Body:

Attachment: [shipping-notification.xls]

Attachment filename(s):


shipping-notification.xls

Sha256 Hashes:

81b0a8b532bab56d3b2103450157ac90d93fa43af4b505b27bdd2bc0299a960b [1]
f8f6572a592f40a0b1a0c126fc2d4cb45b9cafaf0ccda76b0dfe940e7355531b [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)
VirusTotal Report: [2] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Wednesday, 18 November 2015

Receipt mike@xencourier.co.uk scan0001.xls

Description:


Receipt mike@xencourier.co.uk scan0001.xls macro malware.

Headers:

From: "Mike " {mike@xencourier.co.uk}
Subject: Receipt

Message Body:

Hi

Here is your credit card receipt attached. VAT invoice to follw in due course.

Best regards

Mike

Attachment filename(s):


scan0001.xls

Sha256 Hashes:


26506a03b76c6244df28db631f94dfd145753431adff482083223146ecb1f91b [1]
896f7757550e1fbbe3aa85d03a6433cfd90b33084e57f3d9053a97e4976ead87 [2]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003.

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve