From: Simply carpets [email@example.com]So far this morning I have only seen a single sample of the Word document which is undetected by any anti-virus vendors. This document contains a malicious macro [pastebin] which then downloads an additional component from:
Date: 12 January 2015 at 08:11
Subject: Invoice from simply carpets of Keynsham Ltd
Your invoice is attached. Please remit payment at your earliest
Thank you for your business - we appreciate it very much.
simply carpets of Keynsham Ltd
This is then saved as %TEMP%\TYUhfdtUUUdsf.exe. This also has a low detection rate (identified as Dridex), and the Malwr report shows that it attempts to contact the following well-known malware C&C IPs:
18.104.22.168 (1&1, US)
22.214.171.124 (HKBN, Hong Kong)
It probably also drops a malicious DLL, although the Malwr report does not show that.
UPDATE: a second version of the malicious document is also in circulation, again undetected by AV vendors, but this time the macro downloads from:
This is exactly the same binary as downloaded by the other sample.
UPDATE 2015-01-13If you receive a spam like this and are in the UK, the good folks at Simply Carpets request that you report it to report it to ActionFraud:
Have you received a spoof email from us ref invoice 12983? Call fraud office 03001232040 ref nfrc150100902706. Thank you for your support