Sponsored by..

Thursday, 30 April 2015

Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"

This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.

From:    Rebecca McDonnell [rebecca@gascylindersuk.co.uk]
Date:    30 April 2015 at 09:54
Subject:    Telephone order form

Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk


***** D i s c l a i m e r *****

This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail.  Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:

http://morristonrfcmalechoir.org/143/368.exe

This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:

212.227.89.182 (1&1, Germany)

The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.


1 comment:

Emanuele Belli said...

Hey thank you for your post, we received the same mail. Do you think there is any way to report them?
Bye!