Sponsored by..

Tuesday, 2 February 2016

Malware spam: "RB0081 INV2372039" / Sales invoice [salesinvoice@leathams.co.uk]

This fake financial spam does not come from Leathams but is instead a simple forgery with a malicious attachment.

From:    Sales invoice [salesinvoice@leathams.co.uk]
Reply-To:    "no-reply@leathams.co.uk" [no-reply@leathams.co.uk]
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Dear Sir/Madam,

Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.

In the event that you have a query - please direct your query as follows;

For the following please contact our Nottingham Office on 020 7635 3190 or email NottinghamTelesales@Leathams.co.uk:

                Incorrect items delivered
                Quality Complaint
                Goods Damaged in Transit
                Price query against goods

For the following please contact Credit Control on 020 7635 4049 or email creditcontrol@leathams.co.uk:

                Delivery Shortages

Please note that queries reported outside of our terms of business may not be accepted.

Many thanks and kind regards

Leathams Credit Control
2 Rollins Street, London, SE15 1EW
Tel: +44 (0)20 7635 4049
Email: creditcontrol@leathams.co.uk

DID YOU KNOW LEATHAMS IS GOING PAPERLES IN 2015 - Please note that Leathams will be emailing all invoices and staments in 2015.  Kindly confirm by return email what email address we should send your future invocies and statements to.

IMPORTANT TERMS OF BUSINESS - Please note the following time critical terms;

Delivery Queries - You must notifiy Leathams in writing of any defects within 2 working days stating precisly its reason(s) for rejection.  Failure to do so within this time frame will result in any claims being rejected.

From:    Sales invoice <salesinvoice@leathams.co.uk>
Reply-to:    "no-reply@leathams.co.uk" <no-reply@leathams.co.uk>
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Invoice Queries - You must notifiy Leathams in writing of any descrepancies within 7 working days.  If a query is not resolved in time then it is expected that you settle what you believe to be correct, queries should not hold up any payments to Leathams.

Late Payment Fees - Late payment of invoices will result in penalty interest of 8% above the bank of England base rate. We also reserve the right to apply a late payment fee in accordance with UK Late Payment Legislation.

Size of unpaid debt             Sum to be paid to the creditor

Up to ?999.99                        ?40.00

?1,000.00 to ?9,999.99          ?70.00

?10,000.00 or more               ?100.00

Follow us on Twitter <http://twitter.com/LeathamsLtd>
Connect on LinkedIn <http://www.linkedin.com/company/leathams-ltd/>

www.leathams.co.uk <http://www.leathams.co.uk/>


This e-mail and any attachments are confidential and intended solely for the addressee. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free.

Leathams Ltd does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by Leathams Ltd for operational or business reasons.

Any opinion or other information in this e-mail or its attachments, that does not relate to the business of Leathams Ltd, is personal to the sender and is not given or endorsed by Leathams Ltd.

Leathams Ltd. Registered in England (registered no. 1689381).
Registered Office: 227-255 Ilderton Road, London SE15 1NS, United Kingdom

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:


This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.


Automated analysis [1] [2] shows the executable phoning home to: (Hostpro Ltd, Ukraine)

I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.

No comments: