Sponsored by..

Monday, 7 December 2015

Malware spam: "Transglobal Express - Shipping Documentation (TG-1569311)" / "sales@transglobalexpress.co.uk"

This fake shipping spam does not come from Transglobal Express but is instead a simple forgery with a malicious attachment.
From:    sales@transglobalexpress.co.uk
Date:    7 December 2015 at 09:28
Subject:    Transglobal Express - Shipping Documentation (TG-1569311)

Transglobal Express

Your Shipping Documentation for - TG-1569311


Booking Ref:
Destination Country:
UPS Express Saver
Collection date:
Your Shipping Label (Air Waybill)
Please find your Shipping Label for the above order attached.
  1. Print two copies of your label(s). Securely attach one copy to your parcel and give one to the UPS driver upon collection.
  2. Please use the label(s) we have provided to avoid any unwanted billing complications with UPS.
Don't have a printer? Please get in touch with us and we'll be happy to post your documentation to you.
You can access all order information and documentation via your My Account area on our website. You can track your parcel using your UPS Air Waybill number via our easy-to-use tracking page.
You can calculate your estimated transit time by visiting our Transit Times page and entering your collection and delivery postcode into the transit time calculator tools for your carrier. Please note that transit times do not account for customs delays.
SECURITY - Please note that your consignment may be subject to X-Ray and/or opened for inspection.


Questions? Issues? Need to rearrange a collection? Call us on 0845 145 1212 (Monday- Friday 9:00-5:30pm), email sales@transglobalexpress.co.uk or say hello via our live chat feature at www.transglobal.org.uk. We are always happy to help.
Many thanks for your order,
Your Customer Services Team
For parcel delivery tips, special offers and up-to-the-minute industry news,
follow us on Twitter @TransGlobalExpr and like us on Facebook.
All work is undertaken subject to our standard Terms and Conditions of carriage (BIFA 2005) which limit our liability.
Copies are available on request or can be downloaded from our web site: www.transglobal.org.uk

Attached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55 and which contains this malicious macro [pastebin]. According to this Malwr report, the macro downloads a binary from:


This has a VirusTotal detection rate of just 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to: (AT&T Internet Services, US)

I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.




Michael Worth said...

also seeing traffic to maklu[.]be/87tr65/43wedf[.]exe

Russ said...

Thanks! Just got this email in my inbox.