Sponsored by..

Monday, 10 August 2015

Malware spam: "Your order 10232 from Create Blinds Online: Paid" / "orders@createblindsonline.co.uk"

This fake invoice does not come from Create Blinds Online but is instead a simple forgery with a malicious attachment.

From:    orders@createblindsonline.co.uk
Reply-To:    orders@createblindsonline.co.uk
Date:    10 August 2015 at 07:59
Subject:    Your order 10232 from Create Blinds Online: Paid

We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:

Kind regards
Create Blinds Online Team

This electronic message contains information from  Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.

Attached is a file invoice-10232.doc which comes in at least two different variants [1] [2] containing a macro that looks like this [pastebin]. This attempts to download a malicious binary from one of the following locations:


The VirusTotal detection rate for this is 3/55. The Malwr report and Hybrid Analysis reports show that it generates traffic to (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan.


1 comment:

Teresa Earl said...

Hi this is Teresa from createblindsonline.co.uk

We are aware that someone is using our identity and is sending out thousands of emails with an attached order confirmation. Please do not open this attachment. If you have, or tried to open the attachment on a pc we advise you to run a virus scan.

Our website createblindsonline.co.uk is secure and has not been hacked and we have not taken any money or orders from anybody who has not placed an order with us.

We have had hundreds of phone calls and thousands of emails which we are trying to deal with as best as we can, but we are struggling. Sorry for the inconvenience this has caused anyone.