Sponsored by..

Friday, 23 October 2015

Malware spam: "cleaning invoice" / "deborah Sherer" [thesherers@westnet.co.uk]

This fake financial spam comes with a malicious attachment:
From     "deborah Sherer" [thesherers@westnet.co.uk]
Date     Fri, 23 Oct 2015 17:03:19 +0700
Subject     cleaning invoice


attached is invoice for payment


Deborah Sherer

This email has been checked for viruses by Avast antivirus software.
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:


This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).

That VirusTotal report plus this Hybrid Analysis report show network traffic to: (Online SAS / Iliad Entreprises / Poney Telecom, France)

Private sources also identify these following IPs as part of the C2 infrastructure: (Trinity College Hartford, US) (Linode, US) (Codero, US)

The payload appears to be the Dridex banking trojan.

Recommended blocklist:



moorthorpesouthelmsallman said...

Just had one myself and put the email address into Google. Pity we can't saturate the email address with spam.
I started getting these emails soon after I changed my mind on buying something from TeenScrapbookinc on i offer.com. Didn't trust the seller who had me commit to buying before he (or she) would send methods of payment to my email address.Certainly didn't want to send them my credit card details. Coincidentally, the 'seller' sent me a link to an invoice but though it had an https url, there was no verisign on the page.
Paypal might be a bind but it's safer.

mrsgondolier said...

I've just had one of these invoices, and strangely enough I have just ordered craft materials from a couple of crafting websites too.I'm not going to open it, just delete it.

kathy keddie said...

Got this email also, googled it, thank goodness - deleted. Also posted the warning on FB

Sweetsue said...

We also had one today and clicked on invoice but nothing showed using mobile and replied as we didn't know who it was and just had mail non delivery notice - will it have caused problems replying and clicking on invoice? I'm not sure if it is?

aPAULing said...

Hi there, I also just got that email sent to myself from postmaster. I will search the web for any type of link to these fuckers and let you know if I find them, so what we spam them or send some scareware back to them as revenge. These people need to be stopped by us.