Sponsored by..

Tuesday, 4 November 2014

DUCO "Remittance Advice November" spam

This fake remittance advice spam does pretends to come from a company called DUCO (it does not) and comes with a malicious Word document.

From:     Therese Holden
Date:     4 November 2014 13:59
Subject:     Remittance Advice November FO1864232P

Dear Sir/Madam

Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP

Therese Holden
Accounts Payable Department DUCO
The attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.

The Malwr report shows that the malware reaches out to the following URLs:$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/

It also drops a DLL on the system identified by VirusTotal as Cridex.

Recommended blocklist:


Jake Rogers said...

Just finished my analysis 5 minutes ago, see malwr report below along with the "dropper" url encoded in the macro which was different from the one you've found.



Steve Basford said...


Conrad Longmore said...

I think usually there are a few different versions of the document, so far I have only seen two samples which the same document attached.