Sponsored by..

Monday 27 July 2015

Malware spam: "Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715" / "[1NAV PROD RCS] " / "donotreply@royal-canin.fr"

This spam does not come from Royal Canin, but is instead a simple forgery with a malicious attachment:

From     "[1NAV PROD RCS] " [donotreply@royal-canin.fr]
Date     Mon, 27 Jul 2015 18:49:16 +0700
Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715

Please find attached your Sales Order Confirmation

Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55, which in turn contains a malicious macro that looks like this [pastebin] which downloads an executable from one of the following locations (there are probably more):


This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55. Automated analysis tools [1] [2] [3]  show that it attempts to phone home to: (PE Kartashev Anton Evgen'evich, Ukraine)



busiestday said...

My mother got the same email on July 27 2015 . Your page helped her know that it was a scam/malware. Thanks!

ram1009 said...

This e-mail was in my inbox this morning without any attachment that I can see, just a lot of code at the bottom.

Capt said...


Those of you who received this mail are you a usual customer from Royal Canin ?
Is this mail sent only to RC customers or to anyone ?

Has RC directory been hacked ?