Sponsored by..

Monday, 10 November 2014

"Kate Williams" / "invoice 8798556 November" spam has a malicious DOC attachment

This fake invoice spam comes with a malicious Word document attached:

From:     Kate Williams
Date:     10 November 2014 09:40
Subject:     invoice 8798556 November

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8798556 Account No 5608798556.
Thanks very much

The number of the invoice is random and is consistent between the subject and attachment (in this case invoice_8798556.doc). There are two different attachments, both poorly-detected at VirusTotal [1] [2] each containing a malicious macro [1] [2].

I haven't been able to analyse it myself yet, but according to this comment it downloads a binary from adeline.de/js/bin.exe which has a low VirusTotal detection rate and for which the comments from user borromini say:

#malware #dridex

Downloaded by malicious word doc with macro (f9d6161e1b26cf6faab4ac0eecde3a7d).

POST requests to

Also tried and  
The macros I mentioned download from the following locations:


The executable is then copied to %TEMP%\CQRZKMIESEX.exe and the ThreatTrack report [pdf] shows the malware connecting to (Hostway, UK) where it POSTS to /hCsYvpW%26lZaTGPBgK$W%264P49%24%2BNU&Y/H%26%20@Kg
5SvSh8+unz%7Eg6f%24G on that server.

No comments: