Friday, 12 February 2016

DVSA RECEIPT Fixed Penalty Receipt.docm macro malware.

Description:


DVSA RECEIPT Fixed Penalty Receipt.docm macro malware.

Headers:


From: FPO.CC.16@vosa.gsi.gov.uk
Subject: DVSA RECEIPT

Message Body:

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

Attachment filename(s):


Fixed Penalty Receipt.docm

Sha256 Hashes:


0dda0877471ac5db18ae6fd73bb18631217c3523a62ac98014dbd0327b7fde4c [1]
0e19094349ff5f62edd75ada9d525c93290df664ca83bd48778785f37f8a9bf2
13a647063abc0c96c6b40e8f5908bd68bc83140cf5834da1dc1dc08f1ab6c179
198e1e93db960ead8919591dd346b92329643033bd4d08d850c8ee2516797d34
1e9dbbcfa9635fe25249ade71617cd0e58d48e9ba077550825506a8e47443253
29db94d7bdce786d56276a53769a216160e8cd715c1149b5932c65a0f66e512a
4bed42a911d4c2cdf889aa4653535d961ecd9c91489854b80398a4bf183b48a9
530874814a36ce7eb97f8f20fdcfa8a9b88611357fc8a331b9043ef15673da10
7fcfe1db01f0142c7ed7ce1438f7d7fe923e4372ede59cc392afb8fa95da27cf
9e3c66e66fd25be87d8bb5b1d0402061ea54a1326c75c33063c3a6cea7647ddf
9e8eda43c5b6c982f34460785ada9dd68b6119b27a9a625853e5a6f6648cc28b
a9298f6796324ffca68054d10ca4ae40c2244a5850a8067263852dbd5a1db63c
b5d88b0f4de6967db60ac0eb5c9efa9d50541d0d4dd4c20ee154138b17bbece2
c97fd5433505bee10fc45f6db21e5034555d981d4f5e5c6b11375bab918f8e51
d1800389fe499a5ebdb6d908e707d17a2ded727c3923bc41395f194cfe218d45
f4a903126a77f816f2081a5dfb1ff550b5c5ea28a15e36a46eb37db5a1e2f64f
f504d9e70444e94697fdd89fa511eff2e6c1d9d393b9627de9833982f1a00814
fd162cd2fbf98ceb3436382d80fce88608fe4c563cc38bd83d1d72bf3fc17e42

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 3/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Xls.Wshell.G

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Wednesday, 10 February 2016

Remittance advice from Sky Group: Account No. 437786 macro malware.

Description:


Remittance advice from Sky Group: Account No. 437786 macro malware.

Headers:


Subject: Remittance advice from Sky Group: Account No. 437786

Message Body:

From: AccountsPayable-Ariba@sky.uk [mailto:AccountsPayable-Ariba@sky.uk]
Sent: 02 February 2016 23:14
To: Accounts Department
Subject: Remittance advice from Sky Group: Account No. 841479

PLEASE DO NOT RESPOND TO THIS EMAIL, THIS MAILBOX IS NOT MONITORED
Please find attached the payment advice from the Sky Group.
Please note that payments can take up to three days to clear into your bank account, dependent on payment method.
Should you need to contact Accounts Payable at SKY, contact details are below. Please note that we operate via a helpdesk system, once you have emailed the team, you will be advised of a unique Service Request (SR) number which will allow you to track updates on your request. Please respond directly to these emails to ensure all the information is attached to your query and we can assist you.
Office Hours are: Mon - Fri 8:30am - 5pm
Accounts Payable:
Email APhelpdesk@sky.uk or alternatively please telephone 0333 100 1212 and select option 4.

Attachment filename(s):


Remittance_CoNo89995_AccNo437786_PaymentNo1588511.DOC

Sha256 Hashes:


08ab1d20c74e1a8cac98b180eb63f122e820af2715ae40e0d6e6f00792c1b4a9 [1]
407274c5c7db94bd6704da5a995cd97921e469d1ecc4b25cb4b046b2329284e9
4c562688b8c6337da38b175a2faacaf666cdb5739c0b05eb04098f1f5c48a153
95aa21816dd1ba87d9f69e2f435af4e4d028edd3c1a78c217d7b03199f5f9e5e
9c6d3f9b0e405b9c6465dd07cd6967e3d4bfb380f13085943b78a87ad827821f
b13090e27168fa4a86f80034c2075762ca8f444fa8ca73cb4459cbaff0ca4fac
bb959c7a9944da696e51205beb020ade25dbd2816b1d2f2d215e58c160c11f80
df79de9eaf3511f054b1991a87c76b975be2e5dbe7c4c0104d943641e118bc6d
e41c48484185a5e0646b0286d6918d36e62493c17d1d83c82ea9904918a55deb
e8fc51fffa90fcf5bee44589a6f07d98cf9f4e1fcbcaa727dc28f3e816dd5f03
feb618a5256533a489921e98ceb3d3c04d987878f0e6b6134a78987ec6c11b41

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25962.XmlHeurGen

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Tuesday, 9 February 2016

aldridgesecurity Accounts document2016-02-09-103153.doc

Description:


aldridgesecurity Accounts document2016-02-09-103153.doc malware.

Headers:

From: {accounts_do_not_reply@aldridgesecurity.co.uk}

Message Body:

Accounts


Attachment filename(s):


document2016-02-09-103153.doc





Sha256 Hashes:




daa0816967567ca402adc2c754c8f716c376defa423fd1a9ff4a64ed2a6f9303 [1]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.HttpSha.New

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Angela Sherman In Associates. statement malware.

Description:


Angela Sherman In Associates. statement malware.

Headers:

From: "Angela Sherman" {k.kikuchi@fujishojikk.co.jp}
Subject: In Associates. statement

Message Body:

Please review attached the statement

Kind regards
In Associates
Angela Sherman

Attachment filename(s):


1K5G7W7BV0.doc

Sha256 Hashes:


17fe083def58b7a99a223db58cc9f4ce3509af6ab16afa511877e09eef4e9876 [1]
05da6b5bf60f3d3b04542460e44954a8a55731b4b9308a2e2db9d6fef5d2624a
07c956ac49608763db224a7b30778e9a7b4adf7af1061d2418c07353adaa0675
0e2f114a0d3addfa76445ee955ae2871c537601af448eafdca1a1c84f713169c
110cc9e8bc936a9d9d15fe2e2f7caebdd297100e838a49f6b2383afdde839b7d
1203364bb4fc4247f4a810a8344cd6c42c2dde87c40b5dfdde893026bd7d8124
134899e7dff4fe1d0625dc82df73feeb78bc14353e6db54b28d68e51919a6bb1
257255630ba20ea510f4f665f1dcf723061527735ed66d86c31f1835765dd4cb
263eee192b98bf42e72da617de19b6a0a1ee7331bd944950370c7bee1b79fb0d
27d29356f57b29f06d7be83c7e23c9900aaf3c8cb333cc1aac664af7c3e6a602
292b1a0984bcb5265489c54efaeda06525ece845a2c8684b59d4d158ec537af1
3005ca10fe51340f182b6382ce656e860cf8ccbb059c5bfc856d821dfb2809c5
3ac1c6b3a53579dbe37cebb2802c6045f6f4abd8b18f21c7a3a1115f0285559f
3c4cea3748579adbc314b5ec3d8eb282c564ea00a4436a59488e009b9a557356
3e6cda6b3a3437a0d8e729665ca5795fc056bc316e3eeb1fe0187db66ff440ca
3e8401c3d7e171f3631e2925de2c06777716e9c338c37545bcbdae306046beb6
42e4e721ace37bfa1a20d75a883f53e34eecf092e625213903195e7a7c759d9f
48ec6cfa0c31f966b240a35f8369ab2f0d400ea23a651eac07d3d3cba63b06bc
4f2c053f50280ed98774faf1b8111182b4937349fb5a896ce0629e957a390693
5282e498ff67e5cf3255309262ceed810fee9db8cb16c056821ce95787319635
6006045b0344846d8629290b5160c11de3c8a688078f7c922cd5c24652eed0f7
6135ac6308369811d8ed2f92f06871154b2a4d7b7baef9bedcdf324356a5cfec
78fb2677fed1cbfa904a225a9f215e3dec6872277e04fd76d79bc5a0869a08f0
7d3d8dc692656057ca590dfdcdb2aea66d06afc5e554825a7bfdd4a70eb5d5a0
81020196ad67e320ecb59bedd58a6f4d74614a2c672b490cf049e13fba2da031
81034d0b7888fe3fd9055016548e4bac4fb6b0c9e8c57b477b12447568076682
817aae5424281536389e55f095c8c4e5433a034cba126d8b4705ad38633c03b2
8675cc689a2ebfa91af066222d44b107734eb2442c6b1be9cc6ea6c3903e5932
87c32711670315ad5f0a5fdf90e9fbeea811579e5da3f738e5d84cb52996df6f
8ae89923a5003dce6a3041bbeb5f97d5e4ef46acc75b7bfcd85260453b4c8a38
8ea2951468300c888a57ed7ba20de0cd321df33f9ea4644f6bbed4c87add0b1f
9795cad4d678c356aa085ea23d4c25571a5f451f1bde9be01d91221a20f4c851
99810c2f0ad322803c021a731dd5d4b7becec53614fb7471a22255601aa6c143
99d32b8dfe700879899800934fe9ee2ffc1de57b8c857dc4baa64d21ce4d81a7
9c5e24e43d73976da9760685c3adfcfd6ce76f40876ffcd47c62f926a10fbe04
a2073a284b324bd8431a19209df191b761135804e266ea3b165a873f47762f12
a36a64c85aafc851f55ffc073ec74d18e9b12633d7047f04f28a768898f8146a
a37511c3bdb0d1e735d829434b88515167c7ad9455458cab26001e03fc40146d
a4a23baa3c55b5f27b36723d91361f24ceadb9ff555aae1ad6fa3ad889ef2425
a5b4d50a828035590c3a84cddd468d841c500af797e74ff05137452d4a2f3b90
a7d6f6f5a8ed0dc94a75cb171b510071571bfc44b7dcda00592960cec5f4fe90
b2f01abb39ae5201377af4adc34be5f359b0dacf282fd10939e515953d80efb2
b377dc142881784c3237d49a185905730a8a3385440a5b92d88eb0f236e5bb4d
b5f2c9888d765117926febaa92b7ed8966c7b5befa00568881f9d33e651fb6b1
bd7729098082c671520cacce936da97538506cb335d2a72d167ccb282efaa147
c6f7a3689654d3bcf210d787ea146861fb46ca25173e51e8fa18a33516ce073f
c99de9f2394dd3bd9b4f004e4b7c4fbb8aced733b9ef3f708b6ad3ebc63a0d4f
cc711628d86f5f4b92742c1f0ec23722d431b6396c5d40f7225d99d591e28aa6
cd91e3053441bfb21b473e0e8431cf9a8bda0cb9e1fbb15ff5e70fa3634ffba8
cdf8e54e946f0fb4f507d80d6fba57dbea900372d66736503ea0310600429ab9
d145626ab3785b251db24572c13589a0ad86796d4e8d5c951ac263947c1a0d41
d49d86bfaf84ae4486cfcff1a66a7c2de5853f9b2dd01dcad9ab1784d8e9f7f6
db5a19df4540def28c2f7a9c7896ab18fce11698e75b87dba59b3404acb59c44
dd32ac74aa84bda10f09d66c7195532cfd6a09e97f5020a2579083ddf8d07365
dd33172fcb0d33dad96cd99fff1d101a5a193263e0669cdc439d1035f41329db
de0791d3375a511006ab9b3fee92b1bc4df5f739d169c21f47840a69b1314579
e1f281bbcdb6be3ec851e5f32968e4db42cdc265946ed5d7d68cb662390b729d
e2080686c5581dbf532b323e2b4d3d9b7a0e1abc92df6536f4e0cc6e30e1a139
ea02524fddfd3415eacd6d1a0d7097aff7bddb132fda3be43ac61ec5284a9aba
f0e46a777ffb42d2be8c9df7a66383c447d52879c98bdc157de2dd1e68e04100
f11e19f56267fd59e4e8ac4ccbe8bd28f47f4770cf80db3111e381eea5401270
f2186396e65db1a3984e2b5d39f31a640e3c9df8d2f784fdf30d62bfb71fe685
f3eb740b4ee9ee75a9bb3db075c06b86ee2445166e8edbd764cf1be360e923cb
f5390db63b3220956b017f76d846714946b75f6ad876545f0449a54c5f56f1ef
f56e8f8c7045b64b2135f808baf137a78f986e30edbfa65c1b0be00064bb0bd9
f6d476fdca2507a2068dc5b078aa2b6ca94f8e22f5d02cc6075fc42590f5c603
f9460ca81ec1d81175a4beb353db5fb89f6840c700b802838463f4419b3c27d9
fb2b961abf215490f676e080ecbed468e3cad64f9ea5c97542e64049ca141d60

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Doc.shellv3

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Kyra Haley Dictum Corp.: invoice

Description:


Kyra Haley  Dictum Corp.: invoice malware.

Headers:

From: "Kyra Haley" {press@sanzpont.com}
Subject: Dictum Corp.: invoice

Message Body:

Please find attached the invoice

Thanks
Dictum Corp.
Kyra Haley

Attachment filename(s):


1W14I9390Y9.doc

Sha256 Hashes:


17fe083def58b7a99a223db58cc9f4ce3509af6ab16afa511877e09eef4e9876 [1]
05da6b5bf60f3d3b04542460e44954a8a55731b4b9308a2e2db9d6fef5d2624a
07c956ac49608763db224a7b30778e9a7b4adf7af1061d2418c07353adaa0675
0e2f114a0d3addfa76445ee955ae2871c537601af448eafdca1a1c84f713169c
110cc9e8bc936a9d9d15fe2e2f7caebdd297100e838a49f6b2383afdde839b7d
1203364bb4fc4247f4a810a8344cd6c42c2dde87c40b5dfdde893026bd7d8124
134899e7dff4fe1d0625dc82df73feeb78bc14353e6db54b28d68e51919a6bb1
257255630ba20ea510f4f665f1dcf723061527735ed66d86c31f1835765dd4cb
263eee192b98bf42e72da617de19b6a0a1ee7331bd944950370c7bee1b79fb0d
27d29356f57b29f06d7be83c7e23c9900aaf3c8cb333cc1aac664af7c3e6a602
292b1a0984bcb5265489c54efaeda06525ece845a2c8684b59d4d158ec537af1
3005ca10fe51340f182b6382ce656e860cf8ccbb059c5bfc856d821dfb2809c5
3ac1c6b3a53579dbe37cebb2802c6045f6f4abd8b18f21c7a3a1115f0285559f
3c4cea3748579adbc314b5ec3d8eb282c564ea00a4436a59488e009b9a557356
3e6cda6b3a3437a0d8e729665ca5795fc056bc316e3eeb1fe0187db66ff440ca
3e8401c3d7e171f3631e2925de2c06777716e9c338c37545bcbdae306046beb6
42e4e721ace37bfa1a20d75a883f53e34eecf092e625213903195e7a7c759d9f
48ec6cfa0c31f966b240a35f8369ab2f0d400ea23a651eac07d3d3cba63b06bc
4f2c053f50280ed98774faf1b8111182b4937349fb5a896ce0629e957a390693
5282e498ff67e5cf3255309262ceed810fee9db8cb16c056821ce95787319635
6006045b0344846d8629290b5160c11de3c8a688078f7c922cd5c24652eed0f7
6135ac6308369811d8ed2f92f06871154b2a4d7b7baef9bedcdf324356a5cfec
78fb2677fed1cbfa904a225a9f215e3dec6872277e04fd76d79bc5a0869a08f0
7d3d8dc692656057ca590dfdcdb2aea66d06afc5e554825a7bfdd4a70eb5d5a0
81020196ad67e320ecb59bedd58a6f4d74614a2c672b490cf049e13fba2da031
81034d0b7888fe3fd9055016548e4bac4fb6b0c9e8c57b477b12447568076682
817aae5424281536389e55f095c8c4e5433a034cba126d8b4705ad38633c03b2
8675cc689a2ebfa91af066222d44b107734eb2442c6b1be9cc6ea6c3903e5932
87c32711670315ad5f0a5fdf90e9fbeea811579e5da3f738e5d84cb52996df6f
8ae89923a5003dce6a3041bbeb5f97d5e4ef46acc75b7bfcd85260453b4c8a38
8ea2951468300c888a57ed7ba20de0cd321df33f9ea4644f6bbed4c87add0b1f
9795cad4d678c356aa085ea23d4c25571a5f451f1bde9be01d91221a20f4c851
99810c2f0ad322803c021a731dd5d4b7becec53614fb7471a22255601aa6c143
99d32b8dfe700879899800934fe9ee2ffc1de57b8c857dc4baa64d21ce4d81a7
9c5e24e43d73976da9760685c3adfcfd6ce76f40876ffcd47c62f926a10fbe04
a2073a284b324bd8431a19209df191b761135804e266ea3b165a873f47762f12
a36a64c85aafc851f55ffc073ec74d18e9b12633d7047f04f28a768898f8146a
a37511c3bdb0d1e735d829434b88515167c7ad9455458cab26001e03fc40146d
a4a23baa3c55b5f27b36723d91361f24ceadb9ff555aae1ad6fa3ad889ef2425
a5b4d50a828035590c3a84cddd468d841c500af797e74ff05137452d4a2f3b90
a7d6f6f5a8ed0dc94a75cb171b510071571bfc44b7dcda00592960cec5f4fe90
b2f01abb39ae5201377af4adc34be5f359b0dacf282fd10939e515953d80efb2
b377dc142881784c3237d49a185905730a8a3385440a5b92d88eb0f236e5bb4d
b5f2c9888d765117926febaa92b7ed8966c7b5befa00568881f9d33e651fb6b1
bd7729098082c671520cacce936da97538506cb335d2a72d167ccb282efaa147
c6f7a3689654d3bcf210d787ea146861fb46ca25173e51e8fa18a33516ce073f
c99de9f2394dd3bd9b4f004e4b7c4fbb8aced733b9ef3f708b6ad3ebc63a0d4f
cc711628d86f5f4b92742c1f0ec23722d431b6396c5d40f7225d99d591e28aa6
cd91e3053441bfb21b473e0e8431cf9a8bda0cb9e1fbb15ff5e70fa3634ffba8
cdf8e54e946f0fb4f507d80d6fba57dbea900372d66736503ea0310600429ab9
d145626ab3785b251db24572c13589a0ad86796d4e8d5c951ac263947c1a0d41
d49d86bfaf84ae4486cfcff1a66a7c2de5853f9b2dd01dcad9ab1784d8e9f7f6
db5a19df4540def28c2f7a9c7896ab18fce11698e75b87dba59b3404acb59c44
dd32ac74aa84bda10f09d66c7195532cfd6a09e97f5020a2579083ddf8d07365
dd33172fcb0d33dad96cd99fff1d101a5a193263e0669cdc439d1035f41329db
de0791d3375a511006ab9b3fee92b1bc4df5f739d169c21f47840a69b1314579
e1f281bbcdb6be3ec851e5f32968e4db42cdc265946ed5d7d68cb662390b729d
e2080686c5581dbf532b323e2b4d3d9b7a0e1abc92df6536f4e0cc6e30e1a139
ea02524fddfd3415eacd6d1a0d7097aff7bddb132fda3be43ac61ec5284a9aba
f0e46a777ffb42d2be8c9df7a66383c447d52879c98bdc157de2dd1e68e04100
f11e19f56267fd59e4e8ac4ccbe8bd28f47f4770cf80db3111e381eea5401270
f2186396e65db1a3984e2b5d39f31a640e3c9df8d2f784fdf30d62bfb71fe685
f3eb740b4ee9ee75a9bb3db075c06b86ee2445166e8edbd764cf1be360e923cb
f5390db63b3220956b017f76d846714946b75f6ad876545f0449a54c5f56f1ef
f56e8f8c7045b64b2135f808baf137a78f986e30edbfa65c1b0be00064bb0bd9
f6d476fdca2507a2068dc5b078aa2b6ca94f8e22f5d02cc6075fc42590f5c603
f9460ca81ec1d81175a4beb353db5fb89f6840c700b802838463f4419b3c27d9
fb2b961abf215490f676e080ecbed468e3cad64f9ea5c97542e64049ca141d60

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Doc.shellv3

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Monday, 8 February 2016

crosswater Accounts Documentation - Invoices

Description:


crosswater Accounts Documentation - Invoices javascript malware.

Headers:

From: {CreditControl@crosswater.co.uk}
Subject: Accounts Documentation - Invoices

Message Body:

Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.

If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:

Accounts@crosswater-holdings.co.uk

or call us on 0845 873 8840

Please do not reply to this E-mail as this is a forwarding address only.

Attachment filename(s):


~13190.js

Sha256 Hashes:


2ec49eae0c0aa7b0b9e50a71a00627f7c716ef038fc65b30e9bcf2d3c69e1917
02cf2db86004fc507a9c276bdee187919ca83cb0625f6e64dc3b8b3a170545fc
0b04548b0a4167600a7764cfc747957d12da5249959eb65ce2b017958eba2c99
0ec6e87b09d639ca50507349974a95d9b695b67e0456a1c4a32419753d478e15
1475e116878a83e7b3a208b547df8bcab351ad97a74dd88cce5041360828af9a
3317b1744819a1e458c8a06928762a9664386a6960499bf6ad2a2f2c6b4e56d2
3d223db58c4a3c3ac7799faa4a64555197d136d66c25c8ffbd634440dc20c4f4
65bfbb31293855f7a2d869575aa71020d0362dbd67d42966829d416b8d43894c
681f63e319229f82b625c629bf4890208cbab03b247763e854b2ecfc8dc6ca21
6e09805b01e3434c76bfb13d0dc57f5e8548ca0692bb9a3ffb730543ef838db5
7a16f3d7440fe27ca9bd0c7f02e270ba3a6fc055e9eedd12c9e49426f72b8f2c
7d9ed7cc7cbc6e36070e4f9e76591cfb2482abe2705589d39e4fa54c7b49dd53
ac4bb9c83ddc71796bfb52010d19fccfee3322e83a8689c79a5c398cf6654ca6
b05daf28bc0b246ce6163e01a352dc8bd8cc0d03ce23f363898f682c686ec34b
c047813d5eb2b83e6d6d4f67c8bccee441ec8ef3a64aa531679271c6e68b4bc6
c66f97158c069e4ad27948b453985395ee7b39242daf7f7e467873b4c132bf71
cf8371ffacd2e7e569670d341ae807f60cb2dbabf27dfc8ea7096b5505886355
d48e19711fe2c3e62686a2234d7f8416c6846d8f07172d3d457fa017d02505b3
e558ff9fbce1da8057f90df83b89e6b79ccf8ac403117e1b7e14090dd91bdefe
e9bcacfd12ecd5405f388ade06811a332e5ae8797369c115d9df8b76a8728a52
fcf1f35adb267655d6fbaf014ba51ec07480d2f80a0a78de940e215879a30290

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25968.JsHeur

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Delivery Note from Edgar's Water DOC2105685 Lizzie.Writer

Description:


Delivery Note from Edgar's Water DOC2105685 Lizzie.Writer javascript malware.

Headers:

From: {Lizzie.Writer@edgarswater.co.uk}
Subject: Delivery Note from Edgar's Water DOC2105685

Message Body:

Please find attached your latest delivery note from Edgar's Water.
If you have any queries please either email accounts@edgarswater.co.uk or call the accounts department on 01622 834800 Option 4.

Attachment filename(s):


DELIVERYNOTE_CHAR009B_44_55782.JS

Sha256 Hashes:


2ec49eae0c0aa7b0b9e50a71a00627f7c716ef038fc65b30e9bcf2d3c69e1917
02cf2db86004fc507a9c276bdee187919ca83cb0625f6e64dc3b8b3a170545fc
0b04548b0a4167600a7764cfc747957d12da5249959eb65ce2b017958eba2c99
0ec6e87b09d639ca50507349974a95d9b695b67e0456a1c4a32419753d478e15
1475e116878a83e7b3a208b547df8bcab351ad97a74dd88cce5041360828af9a
3317b1744819a1e458c8a06928762a9664386a6960499bf6ad2a2f2c6b4e56d2
3d223db58c4a3c3ac7799faa4a64555197d136d66c25c8ffbd634440dc20c4f4
65bfbb31293855f7a2d869575aa71020d0362dbd67d42966829d416b8d43894c
681f63e319229f82b625c629bf4890208cbab03b247763e854b2ecfc8dc6ca21
6e09805b01e3434c76bfb13d0dc57f5e8548ca0692bb9a3ffb730543ef838db5
7a16f3d7440fe27ca9bd0c7f02e270ba3a6fc055e9eedd12c9e49426f72b8f2c
7d9ed7cc7cbc6e36070e4f9e76591cfb2482abe2705589d39e4fa54c7b49dd53
ac4bb9c83ddc71796bfb52010d19fccfee3322e83a8689c79a5c398cf6654ca6
b05daf28bc0b246ce6163e01a352dc8bd8cc0d03ce23f363898f682c686ec34b
c047813d5eb2b83e6d6d4f67c8bccee441ec8ef3a64aa531679271c6e68b4bc6
c66f97158c069e4ad27948b453985395ee7b39242daf7f7e467873b4c132bf71
cf8371ffacd2e7e569670d341ae807f60cb2dbabf27dfc8ea7096b5505886355
d48e19711fe2c3e62686a2234d7f8416c6846d8f07172d3d457fa017d02505b3
e558ff9fbce1da8057f90df83b89e6b79ccf8ac403117e1b7e14090dd91bdefe
e9bcacfd12ecd5405f388ade06811a332e5ae8797369c115d9df8b76a8728a52
fcf1f35adb267655d6fbaf014ba51ec07480d2f80a0a78de940e215879a30290

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25968.JsHeur

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Scanned file from Optivet Referrals .tiff.js javascript malware

Description:


Scanned file from Optivet Referrals .tiff.js javascript malware.

Headers:

From: Optivet Referrals
Subject: Scanned file from Optivet Referrals

Message Body:

Dear Sir/Madam

Please find attached a document from Optivet Referrals.

Yours faithfully

The Reception Team at Optivet.


Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system

Attachment filename(s):


596968702143.tiff.js

Sha256 Hashes:


2ccc322afcc0135500103ff96e4e96b35856855ca309c2883632bcdb4b70f532 [1]
cde1d1b9d1234ec89cdda6a59d32380421b00d2cbf951e2b43a6d24202b1763
113b61b6239cda4933e462164572a09f872ea70a0f5a789ed8a08aec0181004b
20c21cdc8b74c3f2e9f3643c1f98730d9327c26f1c66fb2206d35a5ac4f71740
22e4c0515e1ca1ec6f387b7aa76df92d1c0cd476217ef469a7b4af7a1686b50a
2441791a25cddb126f551736581cd8e54e4cdcf7bc743dfd3963081d9102f078
26239974381d815ff49649511b39fddddfdd5e891b0640cbf09ec272079fe351
2d14004f2cb69f7f0c6f17ef0bea8b890f26dfe2ce249091894fc148afd85759
41668765a8a494db5eed8b1704abbc3df35290c6bdf5cb60f086beede78c5b03
5509ac7f77e297dd96fdd0c00f38d8ed1e5ebccf1c9b87584ef88f5f0bc0cb2f
56730ed6ea8a4766a3a747e1cf3cab343a4f9b83fd14ed05956c90a9cd26f364
689a5011e9aaf95f6b5ae27407c3a56fe91bad81facc9a6ec16b014c8311b073
ac4bb9c83ddc71796bfb52010d19fccfee3322e83a8689c79a5c398cf6654ca6
b71f7f8f6cfb5718951ea7b7447fa0dc0c9caeb5bb7d9dd779ab80707981d876
c1fa36e007356c6f49855a74afa6d121409f5b012119eb1525a44ca55593841f
c38c6d7486bd2cc3a2f4387a63fa4c71c784aec54234946a3c2084580208b634
d1ee98273bc70d5b06196bce99dff7cb30283daf38a271eed860da2418d7abba
e0731d2f431d10778aea927109902742bec40e5c48ada281b7c204c37fcc7e72
ec3fc09556aa803305bd7dee344e74a1cbcb75deae221799c04cff1c4a926751

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25968.JsHeur

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Thursday, 4 February 2016

Imexpart Limited - Parcels Dispatched imex.prcl.I806015.doc malware

Description:


Imexpart Limited - Parcels Dispatched imex.prcl.I806015.doc malware

Headers:

From: reports@imexpart.com
Subject: Imexpart Limited - Parcels Dispatched

Message Body:

Your Imexpart order I806015 has now been dispatched. Our driver Agency should deliver this to you by 11.50pm. This is subject to traffic and weather conditions.

A Saturday morning delivery service is available* - call for details or visit: www.imexpart.com/delivery/saturday_opening

*Saturday delivery to selected postcodes only.


Regards

Imexpart Limited
Links 31, Willowbridge Way,
Whitwood, Castleford, West Yorkshire,
WF10 5NP, ENGLAND
Registeredin England: 1974788
Tel: + 44 (0) 1977 553936
Fax: + 44 (0) 1977 604684
Website: www.imexpart.com

Attachment filename(s):


imex.prcl.I806015.doc

Sha256 Hashes:


614d73dbe1e450758dc4603b7496ced4624fcdf96b490260ddda3f2c65dd3c8d [1]
b8fec4afd947c567dd1e956ad254ea5a895cacc43cdf159dbc7b30db6178ae6e [2]
d7e5db2fc1195f5a9e9eb06d017924bd689e655561158cabb72176a8d9fbbf79 [3]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)
VirusTotal Report: [3] (detection 5/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25086.MacroHeurGen.Al2

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

Monday, 1 February 2016

Duration Windows Order Processed. V9568HW.doc

Description:


Duration Windows Order Processed. V9568HW.doc macro malware

Headers:

From: NoReply-Duration Windows {noreply@duration.co.uk}
Subject: Order Processed.

Message Body:

Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards,
Duration Windows
Sales Department

Attachment filename(s):


V9568HW.doc

Sha256 Hashes:


003837a453ab7dd0dda51804f4208b10009dc33a9a909e9689b82a1b993deea1 [1]
66ee53feafb8bd00d44cb5cb002fdf16298fa44d9925d25045ed8a61a2f9ff01 [2]
a9eb20b8bbaf117bb82725139188676c1a89811570c6d71e97a2baa7edc83823 [3]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)
VirusTotal Report: [2] (detection 5/55)
VirusTotal Report: [3] (detection 5/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25086.MacroHeurGen.Al2

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve