Sponsored by..

Monday, 26 October 2015

Malware spam: "#NC-242455-Zmj Your Norwich Camping Order has shipped!" / sales@norwichcamping.co.uk

This fake financial spam does not come from Norwich Camping but is instead a simple forgery with a malicious attachment:

From     "Norwich Camping" [sales@norwichcamping.co.uk]
Date     Mon, 26 Oct 2015 13:43:14 +0430
Subject     #NC-242455-Zmj Your Norwich Camping Order has shipped!

You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.

Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55. The document contains this malicious macro [pastebin] which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe

Analysis of the document and the payload is pending (please check back later), it is most likely that it downloads the Dridex banking trojan.


According to this Hybrid Analysis report version of the malicious document downloads an executable from:


This has a VirusTotal detection rate of 5/55. That report indicates malicious traffic to: (Online SAS / Iliad Entreprises / Poney Telecom, France)

I recommend that you block traffic to that IP.

1 comment:

Jokstar said...

There is also another domain via another version of the document:

Report here:

For us at 10:30 the emails switch to documents@phsonline.co.uk with attachment G-A0287580036267754265.doc which appears to be the same payload and contacts the same domains.