This convincing-looking fake financial email does not come from PHS, but is instead a simple forgery with a a malicious attachment:
From: PHSOnline [documents@phsonline.co.uk]
Date: 17 December 2015 at 11:48
Subject: Your new PHS documents are attached
|
|
| |
|
Delivery of new PHS document(s) |
| |
|
|
| |
| Dear Customer |
| |
|
Due to a temporary issue with delivering your document(s) via your
online account, please find the attached in DOC format for your
convenience.
|
| |
|
We apologize for you being unable to view your accounts and documents
online in the usual manner. Please note that, in the interim, we will
continue to deliver documents in this manner until the issue is fully
resolved.
|
| |
|
Regards
|
| |
|
PHS Group
|
| |
|
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
|
| |
|
|
| |
| Connect with PHS: |
 |
|
 |
|
| |
| |
|
| This
email was sent by Personnel Hygiene Services Limited - a member of the
PHS Group. This company is registered in England & Wales to the
address: PHS Group, Block B, Western Ind Estate, Caerphilly CF83 1XH.
Company Reg No: 05384799 VAT No: GB542951438 |
|
|
| |
|
|
 |
| G-A0287580036267754265.xls
70K |
|
Effectively, this is a re-run of
this spam from October.
I have only seen a single sample of this. There is a malicious Excel document attached,
G-A0287580036267754265.xls with a VirusTotal detection rate of
4/54. According to the
Malwr report this attempts to download a binary from:
infosystems-gmbh.de/65dfg77/kmn653.exe
At present, this download location 404s but other versions of the document will probably have different download locations. The payload is the Dridex banking trojan, as seen several times today
[1] [2] [3] [4].
No comments:
Post a Comment