Sponsored by..

Monday 12 January 2015

Malware spam: "Invoice from simply carpets of Keynsham Ltd"

This fake invoice spam comes with a malicious Word document attached. It is not from Simply Carpets of Keynsham Ltd, it is spoofed (i.e. it is a forgery) and their systems have not been compromised in any way.
From:    Simply carpets [sales@simplycarpets.co.uk]
Date:    12 January 2015 at 08:11
Subject:    Invoice from simply carpets of Keynsham Ltd

Your invoice is attached.  Please remit payment at your earliest

Thank you for your business - we appreciate it very much.


simply carpets of Keynsham Ltd
So far this morning I have only seen a single sample of the Word document which is undetected by any anti-virus vendors. This document contains a malicious macro [pastebin] which then downloads an additional component from:


This is then saved as %TEMP%\TYUhfdtUUUdsf.exe. This also has a low detection rate (identified as Dridex), and the Malwr report shows that it attempts to contact the following well-known malware C&C IPs: (1&1, US) (HKBN, Hong Kong)

It probably also drops a malicious DLL, although the Malwr report does not show that.

Recommended blocklist:

UPDATE: a second version of the malicious document is also in circulation, again undetected by AV vendors, but this time the macro downloads from:


This is exactly the same binary as downloaded by the other sample.

UPDATE 2015-01-13

 If you receive a spam like this and are in the UK, the good folks at Simply Carpets request that you report it to report it to ActionFraud:
Have you received a spoof email from us ref invoice 12983? Call fraud office 03001232040 ref nfrc150100902706. Thank you for your support


Unknown said...

I have had one of these today.
Thanks for info. I wont open attachment

Unknown said...

I have also had one of these arrive today....have not and will not open document attached. Thanks for info!

Unknown said...

yep i got one too thanks for info