Sponsored by..

Thursday, 1 October 2015

Malware spam: "Please print" / "Chelsee Gee" [chelsee@ucblinds.co.uk]

This fake financial spam is a simple forgery with a malicious attachment:

From     "Chelsee Gee" <chelsee@ucblinds.co.uk>
To     <samantha@longmore.me.uk>
Date     Thu, 01 Oct 2015 18:51:16 +0700
Subject     Please print

Kind Regards

Chelsee Gee

UC Blinds Limited
1150 Stratford Road
Hall Green
B28 8AF

Tel:  0121 777 3092
Fax:  0121 777 3143
Email:  chelsee@ucblinds.co.uk
Website:   <http://www.ucblinds.co.uk/> www.ucblinds.co.uk

All types of Commercial and Domestic Window Blinds â–ª Made to Measure Curtains â–ª
Awnings and Canopies â–ª Grilles and Shutters â–ª Internal Plantation Shutters â–ª
Window Film â–ª Cleaning and Repairs.

Company No:   7215441
Registered Address:  Nairn House, 1174 Stratford Road, Hall Green, Birmingham, B28

This email is confidential.  If you are not the intended recipient then you must
not copy it, forward it, use it for any purpose, or disclose it to another person.
Instead please return it to the sender immediately.  Please then return and delete
your copy from your system.  Thank you.
Note that the email in my sample is slightly mangled and might not be the same as yours. I received several copies of this, and the normal method is that there are several different email attachments, however I will look at just one. Named Order-SO00653333-1.doc this file has a detection rate of 6/56, and it contains this malicious macro [pastebin].

The Hybrid Analysis report for this particular document shows the malware downloading from:


Other locations are:


This binary has a VirusTotal detection rate of 2/56 and the Hybrid Analysis report for that is here.

The payload is the Dridex banking trojan, and in fact this is the first Dridex I have seen in over a month after some of the alleged perpatrators were arrested.

Recommended blocklist:

No comments: