Sponsored by..

Wednesday 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to: (Filanco Ltd, Russia) (StarNet, Moldova) (RuWeb CJSC, Russia) (Colobridge, Germany)

This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:


No comments: