Tuesday, 28 July 2015

Your Air France boarding documents on 10Jul Boarding-documents.docm

Your Air France boarding documents on 10Jul  Boarding-documents.docm macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

From: Air France {cartedembarquement@airfrance.fr}
Subject: Your Air France boarding documents on 10Jul
Message Body:
Attached is your Air France boarding pass.

Attached is your boarding pass in PDF format.

Important information
  • Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport. Please print your boarding pass in PDF format.

    If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.

Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply.

Legal notice
Air France is committed to protecting your privacy. Our privacy policy specifies:
  • how we use the data we collect about you
  • the measures we employ to protect your privacy.

You will also find the procedure for limiting the use of your data.
Sha256 Hashes:
b87c9d1ec244c28fa410ae3c64ab6ca7f191b8a7546ad7ec8e460e857153f167 [1]
f03a64d0a9715ad366e110e72ec3efb7ed268bf4f76a0512025d02aa74da09da [2]
9da39449ecf59918d2c23bbf3ecb060974b5ef31082e3c0c1dc46b00721a91fb [3]
1d0131590382a18819c4f3b06017696707298275a4a725beaea8b7a25afbef56 [4]
c1c7e9d31033442f9baf34802a238575f2a8acf820f887dcba102413139c2c5d [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 9/56)
VirusTotal Report: [2] (detection 9/56)
VirusTotal Report: [3] (detection 9/56)
VirusTotal Report: [4] (detection 9/56)
VirusTotal Report: [5] (detection 9/56)


The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Phil said...

I received this this morning.
seeing as I haven't booked with Air France and the date is 18 days ago, what are these spammers hoping to gain?
If I open it I guess I get a virus??
what do they gain????
should I expect a follow up email offering to rid me of the virus?

Human engr said...

Given the possibility that the sender addresses are legit, could you add discussion of whether to mark as spam in public or private junk mail tools?

Anonymous said...

Just got this email, thanks for the warning !

Anonymous said...

Will this affect windows phone users?