Sponsored by..

Thursday, 9 April 2015

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:


This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs: (Docker Ltd, Russia) (Microtech Tel, US) (Cadr-TV LLE TVRC, Ukraine) (World Internetwork Corporation, Thailand) (OneGbits, Lithuania) (DigitalOcean Cloud, Singapore) (University Of Chicago, US) (Corgi Tech Limited, UK) (Digital Ocean, UK) (Digital Networks CJSC aka DINETHOSTING, Russia) (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:


No comments: