Sponsored by..

Monday, 25 January 2016

Malware spam FAIL: "Direct Debit Mandate from COMPANY NAME"

This morning's Dridex spam run spoofs a set of random companies. However, the attachment is malformed and cannot be downloaded.. at least in the samples I have seen.

From:    Hilton Castaneda
Date:    25 January 2016 at 09:40
Subject:    Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST

Good morning

Please attached Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST;
complete, sign and scan return at your earliest convenience.


Kind regards,

Hilton Castaneda
TEAM SUPPORT
NORTH ATLANTIC SMALL COS INV TST
t. 01897 566 634
f. 0856 814 1637

==========

From:    Stanford Rich
Date:    25 January 2016 at 08:39
Subject:    Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD

Good morning

Please attached Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD;
complete, sign and scan return at your earliest convenience.


Kind regards,

Stanford Rich
TEAM SUPPORT
SUNPLUS TECHNOLOGY CO LTD
t. 01899 146 416
f. 0818 208 3763

==========

From:    Jewell Chavez
Date:    25 January 2016 at 09:38
Subject:    Direct Debit Mandate from STELLAR DIAMONDS PLC

Good morning

Please attached Direct Debit Mandate from STELLAR DIAMONDS PLC;
complete, sign and scan return at your earliest convenience.


Kind regards,

Jewell Chavez
TEAM SUPPORT
STELLAR DIAMONDS PLC
t. 01723 748 961
f. 0849 101 7259

==========

From:    Louisa Nielsen
Date:    25 January 2016 at 09:08
Subject:    Direct Debit Mandate from HALMA

Good morning

Please attached Direct Debit Mandate from HALMA;
complete, sign and scan return at your earliest convenience.


Kind regards,

Louisa Nielsen
TEAM SUPPORT
HALMA
t. 01522 109 616
f. 0868 158 4319
I haven't had time to do any analysis on the b0rked attachments. I will try to post some updates later.

4 comments:

Derek Knight said...

All atatcamnets I have received working perfectly Conrad
http://myonlinesecurity.co.uk/direct-debit-mandate-from-random-companies-word-doc-malware/
see https://malwr.com/analysis/MDM5MGFkMmIwMzc4NDk3ZTkxYjM2ZDljYTIyMjUzMDM/
https://www.virustotal.com/en/file/214bf2375880d6f73f0b8f5988737f536ad19c1d201a35bea8e8ce42f8bf86bb/analysis/1453712908/
https://www.virustotal.com/en/file/d15d1bf6982959840298a4f11f1c1433a2a370140e9ff41dd8ed82a060e4b38d/analysis/1453713995/

Nyebodnye said...

Ours don't even have attachments (3 received so far)

Kamil Janton said...

Hello, I very much enjoy your blog, I was wondering if you can recommend any sites similar to yours or any other sources that you commonly use for your research ? thank you

Conrad Longmore said...

@Derek - thanks, it must be behaving different in different mail clients. Normally I would analyse them anyway, but I've been mega busy..