Sponsored by..

Friday, 24 April 2015

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:


..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to: (RuWeb CJSC, Russia) (TheFirst-RU, Russia) (TheFirst-RU, Russia) (StarNet SRL, Moldova)

In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:

Sample MD5s:


Mloza said...


I opened the attachment in my mac but nothing out of the ordinary seems to be happening. Is this trojan just for PC?


Matthew Thompson said...


yeah , Mac won't be affected since looking over the pastebin for the exploit it uses windows .DLL files and exploits.

MAC won't be affected by this though it would be best practice to look before opening.