Sponsored by..

Tuesday 31 March 2015

Malware spam: "Circor [DONOTREPLY_JDE@circor.com]" / "CIT Inv# 15013919 for PO# SP14384"

This fake invoice does not come from Circor, it a simple forgery and is largely a repeat of a spam circulating last month.

From:    Circor [DONOTREPLY_JDE@circor.com]
Date:    31 March 2015 at 10:32
Subject:    CIT Inv# 15013919 for PO# SP14384

Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.

This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com

In the sample I have seen, there is an attachment FOPRT01.doc which has a VirusTotal detection rate of 5/57. It downloads a binary from:


This binary is the same as used in this attack and it has the same payload.

No comments: