Margaret Wimperis Purchase Order 37087-POR PORDER.DOC macro malware.
Headers:
From: Margaret Wimperis {MargaretWimperis@biasbinding.com}
Subject: Purchase Order 37087-POR
Subject: Purchase Order 37087-POR
Message Body:
Hi
Please confirm receipt of order
Kind regards
Margaret
-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of K. Stevens (Leicester) Ltd.
Please confirm receipt of order
Kind regards
Margaret
-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of K. Stevens (Leicester) Ltd.
Attachment filename(s):
PORDER.DOC
Sha256 Hashes:
d997184e5277a9ede634999c6cfaea0d64f7009ff6727c71d58d9d676530ae5e [1]
fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178 [2]
fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178 [2]
Malware Virus Scanner Report(s):
Sanesecurity Signature detection:
badmacro.ndb: Sanesecurity.Badmacro.Wsc.New
phish.ndb: Sanesecurity.Malware.25722.MacroHeurGen.al2
phish.ndb: Sanesecurity.Malware.25722.MacroHeurGen.al2
Important notes:
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-downloaded/payloadis normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments normally try to download either...
Dridex banking trojan,
Shifu banking trojan
... both of which are designed to steal login information regarding your bank accounts either by key logging, taking screen shots or copying information directly from your clipboard (copy/paste)
It's
also worth remembering that the company itself may not have any
knowledge of this email and any link(s) or attachment in the email. normally won't have
come from their servers or IT systems but from an external bot net.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
These bot-net emails normally have faked email headers/addresses. It's not advised to ring the the company themselves, as there won't really be anything they can do to help you.
Cheers,
Steve
19 comments:
I've received this scam email. Thanks for posting this so I know I should delete it.
Thanks for this. Just received this email and ummed and ahhed about opening. Sent straight to junk and deleted.
Crazy, just received this at work and I'm a buyer so would NOT be receiving something like this so knew it probably wasn't right. Then found your post here after doing a quick search, thanks for this.
Same here. Just received this on 2nd November. As i was expecting a purchase confirmation I though about opening it. However, I thought I'd search Google for such an email and Hey, presto it is a scam.
Thanks for posting
Yep, it's doing the rounds today! Got it 2 Nov 2015. Already in Thunderbird's junk mail box. I expect K Stevens (a genuine company) will be rather annoyed!
Thanks, just received that and your post was very helpful.
Just got exactly the email. Never open links. Thought I would Google it. Glad I did
I opened this email BUT did not click on the attachment, and instead sent the email to the deleted folder. Will my computer be infected?
Thanks.
H.
i stupidly opened it but done various scans and it hasn't detected anything yet,am i infected how will i know
I never open unexpected docs but clicked on this doc not thinking, as I was on the phone in the middle of expecting an online receipt. The macro's in the doc were disabled so presumably I haven't caused any damage. I immediatley disconnected and ran Hitman Pro, and Malwarebytes on the doc, which didn't find any threat ! so I googled and ended up here.
I've deleted the doc securely with an IOBIT file shredder in accordnace with fancy US standards, but it's got me thinking why nothing picked up the threat , and more importantly what would have ?
any comments please ?
We received it this morning. Knew it couldn't be right as we're a courier company & don't have a lot of use for bias binding tape!
Just doing a quick check now and looks like the NOD32 online scanner should be picking up the exe file (if it's been downloaded)...
So, worth running...
https://www.eset.com/us/online-scanner/
Ive downloaded it from my phone and tablet both msg are empty but im worried now. I opened it as have ordered yhings over the weekend and thought it was a receipt what can i do now?
I got this today (2nd Nov) and checked it here so thanks for that. I was already suspicious, hence the search.
Yep I just got this morning.
I opened it on my Mac as I was expecting a receipt. Will it affect me?
SHA256: 68f12af8b55d1af4010626fdc95e23a29442776a045b8ed596041faec7990830
100% FUD from AV!!
So glad I googled this before opening attachment. Thanks for posting.
These scammers seem to put a lot of work into what they do...obviously they get rewarded or they would stop which leads me to believe there are some people out there who actually are vulnerable and fall for it. NEVER OPEN AN ATTACHMENT FROM SOMEONE YOU DO NOT KNOW.
I got this one on Monday also but unfortunately clicked on attachment. I googled the company name & found they have a warning on their website. i ran a full scan immediately & a threat was found & neutralized/deleted. i have just received another one today(a supposed invoice from Posei in Australia) didn't open this one but have run the scan again anyway.waiting for results. i have found out that my colleague has received both of these as well & he's scanning now also.
Post a Comment