From: Amazon.co.uk [firstname.lastname@example.org]
Reply-To: "Amazon.co.uk" [email@example.com]
Date: 23 April 2015 at 09:58
Subject: Refund on order 204-2374256-3787503
Greetings from Amazon.co.uk.
We are writing to confirm that we are processing your refund in the amount of £4.89 for your
This amount has been credited to your payment method and will appear when your bank has processed it.
This refund is for the following item(s):
Item: Beautiful Bitch
Reason for refund: Customer return
The following is the breakdown of your refund for this item:
Item Refund: £4.89
Your refund is being credited as follows:
These amounts will be returned to your payment methods within 5 business days.
The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.
Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:
Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
Thank you for shopping at Amazon.co.uk.
Amazon.co.uk Customer Service
Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.
An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
click OK, and then click OK again
Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:
..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools     indicate that it calls out to the following IPs:
18.104.22.168 (RuWeb CJSC, Russia)
22.214.171.124 (OneGbits, Lithuania)
126.96.36.199 (OVH, Czech Republic)
188.8.131.52 (Corgi Tech, UK)
184.108.40.206 (TheFirst-RU, Russia)
The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.