Sponsored by..

Thursday, 21 January 2016

Malware spam: "Gompels Healthcare Ltd Invoice" / Gompels Healthcare ltd [salesledger@gompels.co.uk]

This fake financial spam does not come from Gompels Healthcare Ltd but is instead a simple forgery with a malicious attachment.

From:    Gompels Healthcare ltd [salesledger@gompels.co.uk]
Date:    21 January 2016 at 12:57
Subject:    Gompels Healthcare Ltd Invoice

Please see attached pdf file for your invoice
Thank you for your business
The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:


That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of as  before.


David Everett said...

What happens if I opened document? Which I have. Realised my mistake and pulled out router after 30 seconds

Conrad Longmore said...

@David - the malware will attempt to infect Windows PCs running Microsoft Word. This version seems to use a macro. To check if you are vulnerable to running macros, go into File.. Options.. Trust Center.. click the Trust Center Settings and check the "Macro settings". If you have any one of the three "disabled" settings, you should be OK.

If the macros are set to "enabled" then you have a problem and should assume you are infected. Unless you are monitoring network traffic then it can be very hard to detect if the machine is infected. In our organisation we tend to rebuild Dridex-infected machines from scratch. Alternatively, you can try a really good anti-malware product such as Malwarebytes - https://www.malwarebytes.org/mwb-download/ - which has a good chance of disinfecting it. I would leave the machine switched off for a couple of days, this will enable anti-virus vendors to get updated signatures out.

Good luck..

David Everett said...

Just checked and disable all macros with notification clicked.

So here's hoping.

Thanks for your help Conrad.

I cannot believe how stupid I was.

PeteA said...

We found out that somebody was spoofing us yesterday and even though it's not come from us we've put in place some extra security and all our e-mails are now DKIM signed.

GGarrenton said...

Has anyone logged behavior in Windows 10 yet or with Office 15 and above?