Friday, 24 April 2015

Malware spam: "Pidwell, Nigel []" / "Western Order"

The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
From:    Pidwell, Nigel []
Date:    24 April 2015 at 08:47
Subject:    Western Order


Nigel Pidwell
SSE Contracting Limited
T: +44 (0) 1637 889506
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall

So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.

Malware spam: "Colin Fox []" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox []
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to: (RuWeb CJSC, Russia) (TheFirst-RU, Russia) (TheFirst-RU, Russia) (StarNet SRL, Moldova)

In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:

Sample MD5s:

Thursday, 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / " []"

This fake Amazon spam comes with a malicious attachment:

From: []
Reply-To:    "" []
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on

Thank you for shopping at

Sincerely, Customer Service

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again

Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs: (RuWeb CJSC, Russia) (OneGbits, Lithuania) (OVH, Czech Republic) (Corgi Tech, UK) (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:


Wednesday, 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez

In this case, the link in the email goes to:

..which includes the victim's email address in the URL. In turn, this redirects to:  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs: (Hetzner, Germany) (Camelhost SIA, Latvia) (Iliad Entreprises / Poney Telecom, France) (Invest Ltd, Ukraine)

According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:


Tuesday, 21 April 2015

Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office []"

G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!

From:    Australian Taxation Office []
Date:    21 April 2015 at 21:36
Subject:    Australian Taxation Office - Refund Notification


Australian Taxation Office - 22/04/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.

To view/download your tax notification please click here or follow the link below :

Brett Newman, Tax Refund Department Australian Taxation Office 

Despite the "" site that apparently displays in the link, it actually leads to a download from and it leads to a ZIP file called which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

Malware spam: "LAG invoice I413136" / "Lichelle Ebner []"

This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner []
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136

Dear Accounts Payable,

Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.


Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:

..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP: (StarNet SLR, Moldova)

According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.

Recommended blocklist:


Monday, 20 April 2015

Malware spam: "Hector Malvido []" / "Pending payment"

This spam comes with a malicious attachment:

From:    Hector Malvido []
Date:    20 April 2015 at 10:51
Subject:    Pending payment

This invoice shows in my records that has not being pay can you review your records please
Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to: (StarNet SLR, Moldova)

The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.

Recommended blocklist:


Friday, 17 April 2015

Malware spam: "Julie Mckenzie []" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie []
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with: (FastVPS, Estonia)

I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.


Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"

This spam email forms part of a Conference Scam:

From:    United Nations Summit []
Date:    16 April 2015 at 17:59
Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),

Dear Invitee, Nonprofit/NGO Colleague,

UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.

Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.

The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.

Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.

For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.

Send us e-mail:
or Call Dr. Pitt Thomas for more information +44703-597-1620.

We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.

Register Now!!!!

Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.

United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.

There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.


Thursday, 16 April 2015

Malware spam: "Decisive notification about your Automated Clearing House payment"

This fake ACH spam leads to malware:

From:    aileen.alberts@[redacted]
Date:    16 April 2015 at 15:55
Subject:    Decisive notification about your Automated Clearing House payment

The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.

Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details

Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].

I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from: or

And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].

Of note is that one of the scripts downloads what looks like a PNG from:

For now, I would recommend blocking traffic to

For researchers only, I have an archive of some of the files here, password is infected.