Sponsored by..

Thursday 11 December 2014

"UK Fuels E-bill" (ebillinvoice.com) spam

This fake invoice comes with a malicious attachment:

From:     invoices@ebillinvoice.com
Date:     11 December 2014 at 08:06
Subject:     UK Fuels E-bill

Customer No :           35056
Email address :         [redacted]
Attached file name :    35056_49_2014.doc

Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd

This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
This spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:


This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.

The Malwr report shows that it POSTs data to (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.

UPDATE 2014-12-12

Another spam run pushing this is in progress, with two different Word attachments seen so far (all called  35056_49_2014.doc. These are currently undetected by AV vendors [1] [2] and contains two slightly different macros [1] [2] [pastebin] that then attempt to download a binary from one of the following locations:


This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to: (Ministry of Education, Thailand) (1&1, US)

Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.


Unknown said...

We see the binary POSTing to

Conrad Longmore said...

@Macro, yes. That IP has been used many times recently, it's in the Malwr report.

hwron said...

Strange coincidence - I seem to have the same customer number!

Unknown said...

I got the exactly the same customer number - bit - I DON'T LIVE I IN THE UK.