Sponsored by..

Friday, 12 February 2016

Malware spam: "Your latest invoice from The Fuelcard Company UK Ltd" / customerservice@fuelcards.co.uk

This fake financial spam does not come from The Fuelcard Company UK Ltd but is instead a simple forgery with a malicious attachment. For some reason, fake fuel card spam is popular with the bad guys.
From:    customerservice@fuelcards.co.uk
Date:    12 February 2016 at 10:44
Subject:    Your latest invoice from The Fuelcard Company UK Ltd

Please find your latest invoice attached.

If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk


The Fuelcard Compa

The Fuelcard Company UK Ltd
St James Business Park   Grimbald Crag Court   Knaresborough   HG5 8QB
Tel 0845 456 1400   Fax 0845 279 9877

Please consider the environment before printing this email.
This email and any files transmitted with it are confidential, maybe legally privileged, and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the system administrator and then kindly delete the message. If you are not the intended recipient, any disclosure, copying, distribution or any other action taken is prohibited, and may be unlawful. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.  Please note that once signed,  The Fuelcard Company terms & conditions take precedence over all prior communications by any employee or agent of The Fuelcard Company. Once a client signs The Fuelcard Company terms & conditions, this will form the full extent of The Fuelcard Company’s agreed contract with the client.

E-mails may be corrupted, intercepted or amended and so we do not accept any liability for the contents received. We accept no responsibility for any loss caused by viruses. You should scan attachments (if any) for viruses.

Head Office: The Fuelcard Company UK Ltd, St James Business Park, Grimbald Crag Court, Knaresborough HG5 8QB

Registered number: 5939102

I have only seen a single sample with an attachment named invoice.xls with a detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.


This Hybrid Analysis shows that this particular sample downloads from:


This is the same executable as found in this earlier spam run.

No comments: