Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC

Description:

Clare Harding Purchase Order 0000035394 customer 09221 Purchase Order 0000035394.DOC macro malware.

Headers:

From: "Clare Harding"
Subject: Purchase Order 0000035394 customer 09221

Message Body:

Purchase Order 0000035394 to Alligata
Dear ,
Please find attached a copy of our order (reference 0000035394), your reference .
If you have any questions regarding the purchase order please contact us using the details below.

CLARE HARDING Purchasing Manager Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall, TR15 3RT Fax: +44 (0) 1209 315 600 www.carterspackaging.com purchasing@carterspackaging.com

Attachment filenames:

Purchase Order 0000035394.DOC

Sha256 Hashes:

23591022541ce84821f0cafe47ac2b819bf51689fb5eec86f677d1e661ee2659 [1]
155e4783714df49822e8b59978e1391ed25e781641277c71483bea7a8eac2b54 [2]
57e7eb6c8a742767101ed847d9697fc17cdbea9dc129b99aefe67276ad346957 [3]
b5fed55e96cd9bec63c7c68e3fd990eea7d36194d8c8c280a6fe10cf6268f564 [4]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 4/55)

Sanesecurity Signature detection:

badmacro.ndb: anesecurity.Badmacro.Wsc.New
phish.ndb: Sanesecurity.Malware.24819.MacroHeurGen.Hp

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)

It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.

Cheers,

Steve

Sanesecurity.com

Your eBay Invoice is Ready

Description:

Your eBay Invoice is Ready ebay_591278156712819_291015.zip malware.

Headers:

From: "eBay" {ebay@ebay.com}
Subject: Your eBay Invoice is Ready

Message Body:

LEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.

Dear Customer,

Please open the attached file to view invoice.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost from the Adobe Website www.adobe.com

Attachment filenames:

ebay_591278156712819_291015.zip

Inside Zip attachment:

ebay_591278156712819_291015.exe

Sha256 Hashes:

 0a0818d1893eb92fb6535408d5a9b482960b62629492962f688917c9206d79f3 [1]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 3/56)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25726.ZipHeur

It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.

Cheers,

Steve

Sanesecurity.com

Heather Crawford Your Invoice I0000040777.doc

Description:

Heather Crawford Your Invoice I0000040777.doc macro malware.

Headers:

From: "Heather Crawford" {h.crawford@barclaycomms.com}
Subject: Your Invoice I0000040777

Message Body:

Dear Customer. Please find attached your Invoice.

Invoice Number: 0000040777

Invoice Date: 28/10/2015

Invoice Total: 78.40

Invoice Description: Barclay Fresh Direct Debit 1 V (x1.00000)

This e-mail, and any attachment, is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not the views of Barclay Communications, unless specifically stated.

Attachment filenames:

I0000040777.doc

Sha256 Hashes:

b6a1c2e867e62cbdf614de7fa5f25d75789dd67efaad860bf657ce780818c232 [1]
044ea5d5039e561c57a4b88bff5949d5640a26fcb2f1d6cd1b663c36e3e010bb [2]
8f8bbc433b58ca1440943b640f35cb15d3e3e011e11377fb48c7f414ce5357e6 [3]
9ce753830ba981debb6aad08bf1564acce910607848687b99ac3b3c3657a0b75 [4]
a793aef1bbcdef406c90a4166cc5a42032c703aaf485b00027c24a63dee602af [5]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 3/56)
VirusTotal Report: [2] (detection 3/56)
VirusTotal Report: [3] (detection 3/56)
VirusTotal Report: [4] (detection 3/56)
VirusTotal Report: [5] (detection 3/56)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.Xls.Wshell.G

Important notes:

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-downloaded/payloadis normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)

It's also worth remembering that the company itself  may not have any knowledge of this email and any link(s) or attachment in the email. normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.

Cheers,

Steve

Sanesecurity.com

eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200 FAX_20151028_1445421437_89.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "eFax" Subject: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

Message Body:

Fax Message [Caller-ID: 031207944200]

You have received a 1 page fax at 2015-10-28 08:57:17 GMT.

* The reference number for this fax is lon1_did14-1445421403-1407880525-89.

View this fax using your Microsoft Word.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Attachment:

FAX_20151028_1445421437_89.doc

Sha256 Hashes:

246ec2f4cdf0e18dc874644a09c369232ec70821a4b11a40dd7c133afb2ad70d [1] 2c2a2e955767384df23fce53a7b5a07b5cf968bbd39d2d8c086d527d448e3bbe [2] 92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 4/56) VirusTotal Report: [3] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

Thank you for your order! IKEA receipt stats

The earlier report fake Ikea receipt containing word macro malware, was instantly blocked with Sanesecurity ClamAV signatures phish.ndb and badmacro.ndb.

What's interesting is the graph of the first wave of this... started at 9.20-ish am and finished at just after 9.45am-ish... but look at the numbers, peaking at 18.5k...

No doubt after a few hash changes to the document, it'll be back for another run shortly and you can see that traditional AV's don't have a lot of time between bot-runs to get detection updated.

 Updated graph:

Cheers,

Steve
Sanesecurity.com

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: DoNotReply@ikea.com Subject: Thank you for your order!

Message Body:

Order acknowledgement:

To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015

Total cost: £122.60 Delivery date: 30-10-2015 Delivery method: Parcelforce We will confirm your delivery date by text,email or telephone within 72 hrs.

Order/Invoice number: 607656390 Order time: 8:31am GMT Order/Invoice date: 30-10-2015

 

Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.

Your order is subject to IKEAs Terms of use and Return Policy

 

 

This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.

 

Attachment:

IKEA receipt 607656390.doc

Sha256 Hashes:

03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8 92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 4/56) VirusTotal Report: [2] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

A quick summary of zipped malware this morning.

A quick summary of zipped malware this morning... Sanesecurity database: foxhole_filename.cdb are detecting them...

Headers:

From: "donotreply_invoices@verifone.com" {donotreply_invoices@verifone.com} Subject: VeriFone Services UK and Ireland Ltd ======================================================= From: "credbills@denbighshire.gov.uk" {credbills@denbighshire.gov.uk}} Subject: Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance ======================================================= From: "World First Payments" {payments@worldfirst.com} Subject: World First - Supplier Payment Notification

Message body:

Please see attached Invoice(s).


Thanks and Regards,
VeriFone Services UK and Ireland Ltd

=======================================================

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

=======================================================

Dear Customer 
We're emailing to let you know that a payment is scheduled to be made to you by World First on behalf of DPI (UK) Ltd. 
This payment is scheduled to be made on 27 Oct 2015. Please see the attached PDF for further details on the payment (ID:3656763). 
Please note this notification is not meant to act as a binding confirmation and the payment may be subject to cancellation or amendment by our customer without further notification to you.
If any of the payment information is incorrect, please contact DPI (UK) Ltd. 
Kind Regards,
World First

Attached to the message is a Zip file (various names):

New_Cardholder_Application_Twila_Mccann.zip SF-20151027-3656763-20151027102459.zip World_First_Trade_Confirmation_-_Ref_20151027102632_on_27-Oct-2015.zip

Inside the Zip file is a Windows Executable file (various names)

Various exe and scr names

Sha256 Hashes: (various)

1dda68b78e84caf63bb32cae2dc1bd82111e49db85d127a36cb715e2e4ef3b16 4cb8b4959fbcc883a6e7f7ea9254acda3034b8d5dd93996cb9f709aef1104847 717e2d316ef1e98aa10b4d850c32a5f93281166b2913bcbd5e16b82a77d63034 7c5cf8ecf12a05555f6e9ab4948c3d9aaea7ea780f803a5ea200549d035d73ce c6a11c16722b6772807559a05c8d12b2b3776482208f8efface34876351a3122 ec7c8a14d7da104f6fd81ee8d99b92f3b117b5593f343fbd0ba8295de7e3995d

Cheers,
Steve
Sanesecurity.com

PHSOnline Your new PHS documents are attached

PHSOnline Your new PHS documents are attached macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "PHSOnline" {documents@phsonline.co.uk} Subject: Your new PHS documents are attached

Message Body:

Delivery of new PHS document(s)     Dear Customer   Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.   We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.   Regards   PHS Group   To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.

Attachment:

G-A0287580036267754265.doc

Sha256 Hashes:

11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1] 8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2] e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 5/56) VirusTotal Report: [2] (detection 5/56) VirusTotal Report: [3] (detection 5/56)

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

Norwich Camping Your Norwich Camping Order has shipped! invoice-2425.doc

Norwich Camping  Your Norwich Camping Order has shipped! invoice-2425.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "Norwich Camping" {sales@norwichcamping.co.uk} Subject: #NC-242455-Zmj Your Norwich Camping Order has shipped!

Message Body:

You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen payment method has now been charged. Kind regards, The Norwich Camping & Leisure

Attachment:

invoice-2425.doc

Sha256 Hashes:

11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1] 8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2] e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 5/56) VirusTotal Report: [2] (detection 5/56) VirusTotal Report: [3] (detection 5/56)

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

Scan Data from FX-D6DBE1 DocuCentre-V C6675 T2 22102015160213-0001.doc

Scan Data from FX-D6DBE1 DocuCentre-V C6675 T2 22102015160213-0001.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

Subject: Scan Data from FX-D6DBE1 From: "DocuCentre-V C6675 T2"{reception@

Message Body:

Number of Images: 1 Attachment File Type: DOC Device Name: DocuCentre-V C6675 T2 Device Location:

Attachment:

22102015160213-0001.doc

Sha256 Hashes:

2e2afd4f2eab5514eff15e62ccd1d1610a137419caa15eca8383417843ba716f [1] 4554fd639d5fe714dd65894af6fe5f96805f5da26bd0a8437ddb7d8e5c93df7b [2] d8259073a5f3f0019bd5047fcb5149c0450ff8a6743f3e415db491389edc5344 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 5/56) VirusTotal Report: [2] (detection 5/56) VirusTotal Report: [3] (detection 5/56)

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "UUSCOTLAND" {UUSCOTLAND@uuplc.co.uk} Subject: Water Services Invoice

Message Body:

Good Morning, I hope you are well. Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015. If you would like any more help, or information, please contact me on 0345 0726077. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at uuscotland@uuplc.co.uk. Kind regards Melissa Melissa Lears Billing Specialist Business Retail United Utilities Scotland T: 0345 0726077 (26816) Melissa.lears@uuplc.co.uk Unitedutilitiesscotland.com

Attachment:

22 October 2015 Invoice Summary.doc

Sha256 Hashes:

1b6986910dfefedc753fcec76d00c8e5e13464c6e00af4b73286437a04f11222 [1] 7349036e7e92f4468aa35d1207d5e1c646818bbec60a933b5798b295515a4787 [2] ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21 [3] Later Run: 3f3baaefba7dfdb7b54727e03d60c2de365c1b426885f1e9f79ad7f895d67793 [4] df4155671632cb0c265c5c558df05490e5e54eeeb8fad1a11260b42a51b6c56e [5] f8013369d58fbaaf15ebd320ce18510705b9462bfa0d0cf71892311d376b9cf5 [6]

Malware Virus Scanner Reports:

VirusTotal Report: [4] (detection 4/56) VirusTotal Report: [5] (detection 4/56) VirusTotal Report: [6] (detection 4/56) Malwr Report: [3] Payload: h t t p: / / namastetravel.co.uk/t67t868/nibrd65 DOT exe

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

ben.capass Your MF Communications bill for WIN001 [79549775 995412 82267] WIN001_02972.doc

Your MF Communications bill for WIN001 [79549775 995412 82267]  ben.capass@mfcomm.co.uk WIN001_02972.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: ben.capass@mfcomm.co.uk Subject: Your MF Communications bill for WIN001 [79549775 995412 82267]

 Body:

Please find attached your latest bill dated 21/10/2015 This email is generated automatically. Please do not reply to this email.

Attachment:

WIN001_02972.doc

Sha256 Hashes:

1b6986910dfefedc753fcec76d00c8e5e13464c6e00af4b73286437a04f11222 [1] 7349036e7e92f4468aa35d1207d5e1c646818bbec60a933b5798b295515a4787 [2] ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 0/56) VirusTotal Report: [2] (detection 0/56) VirusTotal Report: [3] (detection 0/56) Malwr Report: [3] Payload: h t t p: / / namastetravel.co.uk/t67t868/nibrd65 DOT exe

Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24819.MacroHeurGen.Hp Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

Shifu Banking Trojan

Most of the macro nasties of late have been trying to download the Dridex banking trojan, however
the last couple of days it appears these payloads have switched over to the Shifu Banking Trojan.

"The Trojan is designed to steal a wide range of banking related information such as usernames and passwords to financial accounts, credentials that users key into HTTP forms, private certificates, and even external authentication tokens used by some banks, researchers say...

...Shifu also is capable of stealing data from smartcards if it discovers a smartcard reader attached to the compromised endpoint. The malware can search for and steal from cryptocurrency wallets on infected systems and can detect if it has landed on a point-of-sale system, in which case it proceeds to steal payment card data as well."
Source: http://www.darkreading.com/vulnerabilities---threats/new-shifu-banking-trojan-an-uber-patchwork-of-malware-tools/d/d-id/1322039
An additional key point is that Shifu also wipes the local System Restore point on infected machines :(

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "Whitehead, Lyn" {Lyn.Whitehead@lancashire.pnn.police.uk} Subject: INVOICE FOR PAYMENT - 7500005791

 Body:

Hello Please find attached an invoice that is now due for payment. Regards Lyn Lyn Whitehead (10688) Business Support Department - Headquarters Email: Lyn.Whitehead@lancashire.pnn.police.uk

Attachment:

Invoice 7500005791.doc

Sha256 Hashes:

194100b10159ad608ae111c69de9add3ff698bfaac3eb098bb5e88d103287440 [1] 8bb24ef0d0ae84455a8ac9f67c430168b9e8aa8ae0722e4a223cc6c8b8a840ad [2] e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 0/56) VirusTotal Report: [2] (detection 0/56) VirusTotal Report: [3] (detection 0/56) Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.BadDoc.Fmt.Shell Hybrid Analysis Report: [1]

NOTE The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. These word/excel attachments try to download either... Dridex banking trojan, Shifu banking trojan ... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

invoice 11368 corrected distribution@unenormandealondres.co.uk inv 11368 corrected.doc

invoice 11368 corrected distribution@unenormandealondres.co.uk inv 11368 corrected.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: {distribution@unenormandealondres.co.uk} Subject: invoice 11368 corrected

 Body:

Please Find attached your invoice 11368 corrected. Regards Accounts Service Une Normande A Londres Ltd

Attachment:

inv 11368 corrected.doc

Sha256 Hashes:

9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91 [1] a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577 [2] be8966a576167b2b151e0515fc46f7952d9a616754214550961bbf95fde420f7 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 4/56) VirusTotal Report: [2] (detection 4/56) VirusTotal Report: [3] (detection 4/56) Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24667.XlsHeur Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment. The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

Shaun Buzzard Order lp22_20151013_164535.doc

Shaun Buzzard Order lp22_20151013_164535.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: Shaun Buzzard {shaunb@hubbardproducts.com} Subject: Order

 Body:

Hi , Please find attached order. Kind regards. Shaun Buzzard Hubbard Products Limited Hillview, Church Road, Otley, Suffolk. IP69NP Registered in England No. 6217134 Email: shaunb@hubbardproducts.com DDI: 01473892216 Fax: 01473890687

Attachment:

lp22_20151013_164535.doc

Sha256 Hashes:

9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91 [1] a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577 [2] be8966a576167b2b151e0515fc46f7952d9a616754214550961bbf95fde420f7 [3]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 4/56) VirusTotal Report: [2] (detection 4/56) VirusTotal Report: [3] (detection 4/56) Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24667.XlsHeur Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment. The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

GOMEZ SANCHEZ FINAL NOTIFICATION FINAL NOTIFICATION.xls

GOMEZ SANCHEZ FINAL NOTIFICATION FINAL NOTIFICATION.xls macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.

Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net. It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: "GOMEZ SANCHEZ"{postmail@bellair.net} Subject: FINAL NOTIFICATION

 Body:

Congratulations Print out the attachment file fill it and return it back by fax or email Yours Sincerely GOMEZ SANCHEZ

Attachment:

FINAL NOTIFICATION.xls

Sha256 Hashes:

7f5fa44008064ca6cf59cf165770e4db8a7764bd14cf92586b8ecb65de756756 [1] 80ded7a1e98b524e7b4a123a741892a40b862d3f05d949ae88f401e94c4b1a6a [3] c9602e7c64ea66b4a90f9ad6ccabcbba4243dd04cbb87554a056e97239900258 [4]

Malware Virus Scanner Reports:

VirusTotal Report: [1] (detection 4/56) VirusTotal Report: [2] (detection 4/56) VirusTotal Report: [3] (detection 4/56) Sanesecurity sigs (phish.ndb) detected this as: Sanesecurity.Malware.24667.XlsHeur Sanesecurity sigs (badmacro.ndb) detected this as: Sanesecurity.Badmacro.Xls.Wshell.G

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users. Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment. The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows. However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware. Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com