Friday 22 May 2015

Your Invoice IN278577 from Out of Eden

Your Invoice IN278577 from Out of EdenInvoice IN278577 (emailed 2015-05-21).doc  macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.


From: "" {}
Subject: Your Invoice IN278577 from Out of Eden

Message Body:
Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081

The information contained in this e-mail is intended only for the personal and confidential use of the designated recipient or recipients named above and may contain confidential or privileged information.  If the reader of this message is not the intended recipient, you are hereby notified that you have received this message in error and that any review, re-transmission, dissemination, distribution, copying, or other use of, or taking of any action in reliance upon this message or any attachments to this message, is strictly prohibited.  If you have received this e-mail message in error, please notify the sender immediately and delete the material from all computers

Invoice IN278577 (emailed 2015-05-21).doc
Sha256 Hashes:
bf0a29230533f68ae2aa5bf6725cf8012c9fa937aaaa54c0f73d03b3ea29e55b [1]
7f348f03207df2d6b106449c67b4515c89405b1ebff769ca9a06b8752540b349 [2]
67c9743d34f71a0cece563f93bcc0270dcd0dbe6725dee05fea4f2e7cc9cb298 [3]
a694a80f0870e268de6300b565e65d8273565320aa57b1e70d91060ded260478 [4]
b161889bdad4a9d6eac719329185eef5aaba7910ac7d9bebed72b8437afee4d8 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 1/57)
VirusTotal Report: [2] (detection 1/57)
VirusTotal Report: [3] (detection 1/57)
VirusTotal Report: [4] (detection 1/57)
VirusTotal Report: [5] (detection 1/57)

Hybrid Analysis Report: [1]
Hybrid Analysis Report: [2]
Hybrid Analysis Report: [3]
Hybrid Analysis Report: [4]
Hybrid Analysis Report: [5]


The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))


2 comments: said...

I got one!

rafe said...

Thanks for backing up my suspicions that this wasn't a legitimate email. The header tag's return path and sender matched, so it was a little harder to judge. I'd like to add that, if you receive this email at work (like I did), it's important to notify your IT support. Updating spam filters is a big part of preventing malicious attacks on company workstations!