Thursday, 17 December 2015

Required your attention JavaScript malware.

Description:

Required your attention JavaScript malware..  This is suspected to download the ransomware Teslacrypt.

Headers:


Subject: Required your attention

Message Body:

Dear Partner,

As per your request, we have made special prices for you, which leave us only a very small margin.

Kindly find attached the prices with your personal discount, and if you need anything else, don�t hesitate to contact us.

Our best wishes, The sales team


Attachment filename(s):

SCAN_PRICES_88647857.zip

Inside Attachment filename(s):


invoice_2h04qd.js

Sha256 Hashes:


026727700e7004fd9e73f2873d561a98220a91059be608db908e0afe85b4e834 [1]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 8/53)

Sanesecurity Signature detection(s):


phish.ndb: Sanesecurity.Malware.25915.JsHeur
foxhole_filename.cdb: Sanesecurity.Foxhole.Zip_fn39 & Sanesecurity.Foxhole.Zip_fn40

JavaScript decoded (Snakelabs)

https://t.co/B3LNHpkD68

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

12/16 A Invoice macro malware

Description:


12/16 A Invoice macro malware

Headers:



Subject: 12/16 A Invoice

Message Body:

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Frieda Workman
Attachment filename(s):

invoice47088445.doc

Sha256 Hashes:



058f6e252ee53e9dc6740d41d63dc7b923596e295b5249d2c8b97c63db8f86c9 [1]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 0/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Xls.Wshell.G.

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Your eReceipt Currys PC World e-Receipt.doc macro malware

Description:


Your eReceipt Currys PC World e-Receipt.doc macro malware.

Headers:


From: Currys PC World {noreply_stores@currys.co.uk}
Subject: Your eReceipt

Message Body:

Currys PC World
Thank you.
Thank you for your purchase from Currys PC World.
Your e-receipt is attached for your records.
We understand that sometimes products need to be returned. You can either return it to your nearest store or call 0344 561 1234 from the UK or 1890 400 001 from the Republic of Ireland to speak to our customer services team to discuss a refund or exchange. Please have your e-receipt number to hand to speed up the process.

Some email mobile apps don't always show attachments. If you can't see the attachment, simply forward this email to another email address to view and save.

Thank you once again from everyone at Currys PC World.

Attachment filename(s):

e-Receipt.doc

Sha256 Hashes:


1e1f7dc3178662a5e650526a6ff5f7bde3004b223944ed4fd77b2904ef9cd466 [1]
3f589bbd3f026565edc86ba62e911ab06c32ff9f7e33bd9d326065df24d115ab [2]
51a3db531afb715f2cdc8fb677214cb7884089af173859a738d2a8bd6d720cc4 [3]
6918ff515957badf4115884938593f02a517b1dc6b145fe5ebf564d6230025e6 [4]
a7c3fdbaf5e1d425d207deba253d893234077a725e7a86018e989256973cdd32 [5]
c7b193255871ed4bef744a9afb252d020f2991f6e3e217bb0e0d19413dbbfbfa [6]

Malware Virus Scanner Report(s):

VirusTotal Report: [5] (detection 3/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Xls.Wshell.G.

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Wednesday, 16 December 2015

Your account has a debt and is past due

Description:


Your account has a debt and is past due macro malware.  This is suspected to download the ransomware Teslacrypt.

Headers:


Subject: Your account has a debt and is past due

Message Body:

Dear Customer,

Our records show that your account has a debt of $508.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.


Attachment filename(s):

invoice_46738873_copy.doc

Sha256 Hashes:


37a2a137a91eab96ff0876892e5c498814ed53d118fc30f5534737993324cfd0 [1]
ff0f08fc470b4ef4fc82b3c9844134c871aa23d5dcd02f24bee532145545fccf [2]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)
VirusTotal Report: [2] (detection 1/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.strv

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Unpaid Invoice from Staples Inc., Ref. 42652370, Urgent Notice

Description:

Unpaid Invoice from Staples Inc., Ref. 42652370, Urgent Notice macro malware.

Headers:


Subject: Unpaid Invoice from Staples Inc., Ref. 42652370, Urgent Notice

Message Body:

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $175,40 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Jeanine Castro
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216


Attachment filename(s):

invoice_42652370_copy.doc

Sha256 Hashes:


37a2a137a91eab96ff0876892e5c498814ed53d118fc30f5534737993324cfd0 [1]
ff0f08fc470b4ef4fc82b3c9844134c871aa23d5dcd02f24bee532145545fccf [2]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)
VirusTotal Report: [2] (detection 1/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Doc.hyper

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Sharon Samuels Invoice No. 81688

Description:

Sharon Samuels Invoice No. 81688 macro malware.

Headers:

From: "Sharon Samuels" {sharons936@brunel-promotions.co.uk}
Subject: Invoice No. 81688

Message Body:

  Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon


--------------------------------------------
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235

Attachment filename(s):

IN81688.xls

Sha256 Hashes:


3022caeffabdcbcd6d7d84ad24a1b7f17aedfffe3c743751dc88445c07566852 [1]
54a00046f9841e947c3a146c240923563408f70bb5958dd091eeaddf3adf1635 [2]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)
VirusTotal Report: [2] (detection 4/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Jonathan Carroll Documentation: Your Order Ref: SGM249/013

Description:

Jonathan Carroll Documentation: Your Order Ref: SGM249/013 from macro malware.

Headers:

From: Jonathan Carroll {Jonathan@john-s-shackleton.co.uk}
Subject: Documentation: Your Order Ref: SGM249/013

Message Body:

Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15

Attachments:
s547369.DOC Shackleton Invoice Number 355187


4 Downgate Drive
Sheffield
S4 8BU

Tel: 0114 244 4767
Fax: 0114 242 5965


Attachment filename(s):


s547369.DOC

Sha256 Hashes:


46c8cad66fe31ad93727a2d96f66d4ce4627f1484e850509eddd9fcc6455527d [1]
a3d10e08999093b212be81c3294c0e4dbb90a9a5783179c1158b6fe20af15ed2 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)
VirusTotal Report: [2] (detection 4/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Samantha Morgan Barrett Steel Services Ltd Your e-Invoice(s) from

Description:

Samantha Morgan Barrett Steel Services Ltd Your e-Invoice(s) from macro malware.

Headers:

From: samantha.morgan@barrettsteel.com
Subject: Your e-Invoice(s) from Barrett Steel Services Ltd

Message Body:


Dear Customer,

Please find attached your latest Invoice(s).

Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,

Phone: 01274654248
Email: samantha.morgan@barrettsteel.com


PS
Have you considered paying by BACS ?  Our details can be found on the attached invoice.

Please reply to this email if you have any queries.


You can use the link below to perform an Experian credit check.

http://www.experian.co.uk/business-check/landing-page/barrett-steel.html?utm_source=BarrettSteel&utm_medium=Banner&utm_campaign=BusinessCheckBS

Samantha Morgan
Credit Controller
              
Tel: 01274 654248 |  | Fax: 01274 654253
Email: Samantha.Morgan@Barrettsteel.com | Web: www.barrettsteel.com

Attachment filename(s):


e-Invoice Barrett Steel Services Ltd.doc

Sha256 Hashes:


46c8cad66fe31ad93727a2d96f66d4ce4627f1484e850509eddd9fcc6455527d [1]
a3d10e08999093b212be81c3294c0e4dbb90a9a5783179c1158b6fe20af15ed2 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)
VirusTotal Report: [2] (detection 4/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Tuesday, 15 December 2015

Reservations Invoice for Voucher ACH-2-197701-35 affordablecarhire

Description:


Reservations Invoice for Voucher ACH-2-197701-35 affordablecarhire macro malware.

Headers:

From: Reservations 
Subject: Invoice for Voucher ACH-2-197701-35

Message Body:


Affordable Car Hire
     
Payment Link For BookingACH-2-197701-35
 
 
Please find attached your invoice for reservation number ACH-2-197701-35
 

 
This email was sent on 14/12/2015 at 16:25

Attachment filename(s):


ACH-2-197701-35-invoice.xls

Sha256 Hashes:

387a4cd7950332ac59a134359b61de78be30cc3076f45f7599c9ab8b9f533af7 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:


Sanesecurity.Badmacro.Xls.Wshell.G

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Nicola Hogg Order PS007XX20000584 Confirmation with Photos

Description:


Nicola Hogg Order PS007XX20000584 Confirmation with Photos macro malware.

Headers:

From: Nicola Hogg {NHogg@pettywood.co.uk}
Subject: Order PS007XX20000584

Message Body:


Attachment: [PS007XX20000584 - Confirmation with Photos.DOC]

Attachment filename(s):


PS007XX20000584 - Confirmation with Photos.DOC

Sha256 Hashes:

c280bae137e703d9492581bbd5d180fd6431a06c9b48cfef8a64e621bfa9903d [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Reference Number # Notice of Unpaid Invoice

Description:


Reference Number # Notice of Unpaid Invoice invoice_59928779_scan.doc macro malware.

Headers:

Subject: Reference Number #59928779, Notice of Unpaid Invoice

Message Body:


Dear Valued Customer,

It seems that your account has a past due balance of $268,63. Previous attempts to collect the outstanding amount have failed.

Please remit $268,63 from invoice #59928779 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.

The payment notice is enclosed to the letter down below.

Attachment filename(s):


invoice_59928779_scan.doc

Sha256 Hashes:

1cfd5890006c047ef571119325b2642b2b3d349645b7f6a287adf05fd75981ea [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Monday, 14 December 2015

Invoice 15069447 from Cleansing Service Group accounts@csg.co.uk 15069447.doc

Description:


Invoice 15069447 from Cleansing Service Group accounts@csg.co.uk 15069447.doc macro malware.

Headers:

From: CSG {accounts@csg.co.uk}
Subject: Invoice 15069447 from Cleansing Service Group

Message Body:


 Please see attached invoice from Cleansing Service Group.
 Any queries please do not hesitate to contact us.

 Cleansing Service Group
 Chartwell House
 5 Barnes Wallis Road
 Segensworth East
 Fareham
 Hampshire
 PO15 5TT
 Tel: 01489 776312
 Fax: 01489 881369
 E-mail: accounts@csg.co.uk
 Web: www.csg.co.uk

Attachment filename(s):


15069447.doc

Sha256 Hashes:

8ba640a663d4202b321f1d37a1748f62c4181595d74d1d1c4aee71288b341192 [1]
d556a95fd234088ac0319d1e15674db729784c06980ca2e362e8ce08c2767ac7 [2]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 7/55)
VirusTotal Report: [2] (detection 7/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

THUNDERBOLTS LIMITED Invoice 14 12 15

Description:


THUNDERBOLTS LIMITED Invoice 14 12 15 fax00163721.xls macro malware.

Headers:

From: "THUNDERBOLTS LIMITED" {enquiries@thunderbolts.co.uk}
Subject: Invoice 14 12 15

Message Body:


This message contains 2 pages in PDF format.

Attachment filename(s):


fax00163721.xls

Sha256 Hashes:

ee2aef690cce4b6d61b3ae429e307527da893e4898dd421ed72a5fd3110a5296 [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Gareth Evans Scan from a Samsung MFP cardiffgalvanizers

Description:


Gareth Evans Scan from a Samsung MFP cardiffgalvanizers macro malware.

Headers:

From: "Gareth Evans" {gareth@cardiffgalvanizers.co.uk}
Subject: FW: Scan from a Samsung MFP

Message Body:


Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com

Attachment filename(s):


Untitled_14102015_154510.doc

Sha256 Hashes:

33fee8120dc8e45b20dd17060ed941a9b90142d9254a2ec5ec89196015f6380a [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 6/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.CreObj

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Monday, 7 December 2015

Payment Advice For Vendor0000113915 macro malware.

Description:


Payment Advice For Vendor0000113915 macro malware.

Headers:

From: {LBRichmondRemittance@richmond.gov.uk}
Subject: Payment Advice For Vendor0000113915
Message Body:

The London Borough of Richmond upon Thames Accounts Payable team, are pleased to announce we can now e-mail your remittance advice.

Please find attached a remittance advice for a payment you will receive in the next 2 working days.

If this is not the preferred email address you wish to receive remittance advises, please could you
email accounts.payable@richmond.gov.uk quoting your vendor number (found on remittance
attached) and details of your preferred email address so we can update our records.

Please Note
Remittances sent from LB Richmond Remittance will include payments made on behalf of:
Achieving for Children
LBRuT Local Authority
LBRuT Pension Fund
SW Middlesex Crematorium Board

If you have received this message in error you must not print, copy, use or disclose the contents, but must delete it from your system and inform the sender of the error. You should be aware that all emails received and sent by the London Borough of Richmond upon Thames may be stored or monitored, or disclosed to authorised third parties, in accordance with relevant legislation.

Attachment filename(s):


Payment Advice For Vendor0000113915.DOC

Sha256 Hashes:

557dfab57c2fc5b29977910a09a366cd4471a5414171570ff720d569f3b9532f [1]
654223c0502a7b3d5a83308496b6477d1106953f129f5c76d7b2bb35ad00963f [2]
c986e9050167cb065a3aca5db5ffad81a582236e5fc5f2b28cbacd13c8e25c18 [3]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 7/55)
VirusTotal Report: [2] (detection 7/55)
VirusTotal Report: [3] (detection 7/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.Doc.xmlht2

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Your receipt from Apple Store, Manchester Arndale macro malware

Description:


Your receipt from Apple Store, Manchester Arndale macro malware

Headers:

From: manchesterarndale@apple.com
Subject: Your receipt from Apple Store, Manchester Arndale
Message Body:

Thank you for shopping at the Apple Store.

To tell us about your experience, click here.

Attachment filename(s):


emailreceipt_20150130R2155644709.xls

Sha256 Hashes:

289791a491a5b13674291a627c34664db21f7f66268cf5841176eaa1d2a5c096 [1]
47155456520df69ca740b541c4791af489adf9a695ad7c9b5cd850ef745b7067 [2]
7d3cde6c92562a2ef510957f57b6f89deee72c09e4a67781878e61dace42351c [3]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 6/55)
VirusTotal Report: [2] (detection 6/55)
VirusTotal Report: [3] (detection 6/55)

Sanesecurity Signature detection:


badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.


If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve