Sponsored by..

Tuesday, 21 October 2014

Fake "Humber Merchants Group / humbermerchants.co.uk" Industrial Invoices spam

This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.

From:     ps7031112@humbermerchants.co.uk
Date:     21 October 2014 15:21
Subject:     Industrial Invoices

Attached are accounting documents from Humber Merchants

Humber Merchants Group

Head Office:
Parkinson Avenue
North Lincolnshire
DN15 7JX

Tel: 01724 860331
Fax: 01724 281326
Email: sales@humbermerchants.co.uk

Automated mail message produced by DbMail.
Registered to Humber Merchants Limited  , License MBS2008354.
Attached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report  indicates then connects to the following URLs:$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN is a Serverloft / Intergenia IP address in Germany.

Recommended blocklist:

UPDATE 2014-10-23

Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54  (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.

According to the Malwr report, that binary contacts the following URLs: is 1&1, Germany and is Hostway, Belgium.

This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.

Recommended blocklist:

UPDATE 2014-11-13

A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates [1] [2] [Malwr report] that drop one of two malicious binaries [1] [2] [pastebin] from one of these locations:


This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):

It also drops a DLL identified by VirusTotal as Dridex.

No comments: