Sponsored by..

Monday 29 June 2015

Malware spam: "CEF Documents" / "Dawn.Sandel@cef.co.uk" / "Dawn Sandel"

This fake financial spam does not come from City Electrical Factors but is instead a simple forgery with a malicious attachment.

From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300

Please find attached the following documents issued by City Electrical Factors:

Invoice - BLA/176035 - DUCHMAID

If you have any problems or questions about these documents then please do not hesitate to contact us.

Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818

Dawn Sandel
Group Office
Nelson & Northwest Region

City Electrical Factors Limited
Tel: 01282 698 112  Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv

The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:


This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs: (Hetzner, Germany) (OneGbits, Lithuania) (OVH, France) (IP ServerOne, Malaysia)

The payload is probably Dridex, but I was not able to get a copy of the DLL.

Recommended blocklist:


No comments: