Sponsored by..

Monday, 7 December 2015

Malware spam: "Transglobal Express - Shipping Documentation (TG-1569311)" / "sales@transglobalexpress.co.uk"

This fake shipping spam does not come from Transglobal Express but is instead a simple forgery with a malicious attachment.
From:    sales@transglobalexpress.co.uk
Date:    7 December 2015 at 09:28
Subject:    Transglobal Express - Shipping Documentation (TG-1569311)


Transglobal Express
_______________________________

Your Shipping Documentation for - TG-1569311

ORDER SUMMARY

Booking Ref:
TG-1569311
Destination Country:
UK
Service:
UPS Express Saver
Collection date:
04/12/2015
Your Shipping Label (Air Waybill)
Please find your Shipping Label for the above order attached.
  1. Print two copies of your label(s). Securely attach one copy to your parcel and give one to the UPS driver upon collection.
  2. Please use the label(s) we have provided to avoid any unwanted billing complications with UPS.
Don't have a printer? Please get in touch with us and we'll be happy to post your documentation to you.
You can access all order information and documentation via your My Account area on our website. You can track your parcel using your UPS Air Waybill number via our easy-to-use tracking page.
You can calculate your estimated transit time by visiting our Transit Times page and entering your collection and delivery postcode into the transit time calculator tools for your carrier. Please note that transit times do not account for customs delays.
SECURITY - Please note that your consignment may be subject to X-Ray and/or opened for inspection.

GET IN TOUCH!

Questions? Issues? Need to rearrange a collection? Call us on 0845 145 1212 (Monday- Friday 9:00-5:30pm), email sales@transglobalexpress.co.uk or say hello via our live chat feature at www.transglobal.org.uk. We are always happy to help.
Many thanks for your order,
Your Customer Services Team
For parcel delivery tips, special offers and up-to-the-minute industry news,
follow us on Twitter @TransGlobalExpr and like us on Facebook.
All work is undertaken subject to our standard Terms and Conditions of carriage (BIFA 2005) which limit our liability.
Copies are available on request or can be downloaded from our web site: www.transglobal.org.uk


1569311-1Z2X12A50495162278.doc
59K
Attached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55 and which contains this malicious macro [pastebin]. According to this Malwr report, the macro downloads a binary from:

www.lama.rs/87tr65/43wedf.exe

This has a VirusTotal detection rate of just 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to:

23.113.113.105 (AT&T Internet Services, US)

I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.

MD5s:
fd7b410fd7936dd51c4b72ef4047c639
b55d33d92aa95d563e13c57c3bfc2dfe







afdsafadsfd

2 comments:

Michael Worth said...

also seeing traffic to maklu[.]be/87tr65/43wedf[.]exe

Russ said...

Thanks! Just got this email in my inbox.