Sponsored by..

Tuesday, 2 February 2016

Malware spam: "Order Dispatch: AA207241" / aalabels [customercare97125@aalabels.com]

This fake financial spam is not from aalabels.com but is instead a simple forgery with a malicious attachment.

From:    aalabels [customercare97125@aalabels.com]
Date:    2 February 2016 at 07:06
Subject:    Order Dispatch: AA207241

Order Dispatch Confirmation

Dear Customer,

This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.

Your order has been dispatched via DPD and your order tracking number is 1160173211.

A VAT invoice for your order has been attached in pdf format for your reference.

Code     Product Name     Qty     QS     QB     No of Packs
AAS021WTP     Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm     1000     1000     0     10

QS: Quantity Shipped
QB: Quantity Backed

If you need to contact us about this order then please call our customer care team on 01733 588 390 or email customercare@aalabels.com

Thank you for your order.

Kind regards,

AA Labels

23 Wainman Road
United Kingdom
Phone:  01733 588390
Fax: 01733 425106

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:


This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to: (Hostpro Ltd, Ukraine)

I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire range will no ill effects.

1 comment:

SteveB said...

I thought so. Thanks.