PHSOnline Your new PHS documents are attached macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
NoteHeader:
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.
It's not advised to ring them as there won't really be anything they can do to help you.
Message Body:
From: "PHSOnline" {documents@phsonline.co.uk}
Subject: Your new PHS documents are attached
Attachment:
Delivery of new PHS document(s)
Dear Customer Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience. We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved. Regards PHS Group To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
G-A0287580036267754265.docSha256 Hashes:
Malware Virus Scanner Reports:
11d137631d43b731e633ebf8dfecbd41bd5ca16f93be48678789a3fd275f3d50 [1]
8448dce775043e0fe09bf0dadaf7c7dabf901c129c503ef7f2668e4e2b6766aa [2]
e66201d2899796e2bedfffedd2f70aa58afa06af546d92fa41e2604a284d3af7 [3]
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)
Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments try to download either...
... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,
Steve
8 comments:
Today's scam email just arrived and immediately deleted. Is there no way these idiots can be stopped?
Yep, another one here just received it. IP address is from Turkey - Eser Telekom which is part of the Skylogic S.p.A. who provide satellite broadband services worldwide and are based in Turn in Italy.
Got my latest this morning from PHS. Wish these assholes would fall down a deep hole and disappear. 😊
I received this - and very stupidly clicked on the attachment as was very similar to an email that I was expecting.
Norton Premier 360 did not strip it out - v worried I now have malware downloaded.
Thank you for this information I very much appreciate it.
I just got one of these. Fortunately, I don't click on any links or open anything when I don't know who it is but go to their website to see who they are.
I received this today also. Looks like this goes out in a mass email. I always try to see where a suspicious email originates from before opening any type of link or attachment that I'm not expecting. I too would like to see them all fall into a deep deep hole.
If the mail does not have your name on it then there is a good chance it is a scam - in this mail they are sending you a personalised document but do not know your name....unlikely to be true, other then that a pretty good looking scam.
Post a Comment