Sponsored by..

Monday, 19 January 2015

Malware spam: "NatWest [donotreply@netwest.uk]" / "Important - Please complete attached form"

This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.

From:    NatWest [donotreply@netwest.uk]
Date:    19 January 2015 at 14:02
Subject:    Important - Please complete attached form

This message has been scanned by the Bankline CSC SSM AV and found to be free of known security risks.

Dear Customer

Please find below your Banking Form for Bankline.

Please complete Bankline Banking Form :

- Your Customer Id and User Id - which are available from your administrator if you have not already received them

Additionally, if you wish to access Bankline training, simply follow the link  below


If you have any queries or concerns, please telephone your Electronic Banking Help Desk.

National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.

Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate

In this case the link in the email goes to www.ipawclp.com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document.html where it hits a couple of scripts at:


In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page.

Automated analysis is presently inconclusive [1] [2].

@snxperxero suggests blocking the following sites:


naszfranio said...

I just checked and detection rates are really high ... are anti-virus companies speeding up with detection mechanisms ?

Conrad Longmore said...

@naszfranio - they might be catching up, but did you scan the ZIP file or the EXE file? I only scanned the EXE file.