From: GEMS@worldpay.com
Date: 10 August 2015 at 10:17
Subject: Premium Charging MI Package for Merchant 17143013
*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.
So far I have seen only one sample with named 17143013 01.docm. Despite having a detection rate of 5/55 at VirusTotal, the document is malformed and is Base 64 encoded. When manually decoded it still has a detection rate of 5/55 and it contains this malicious macro [pastebin] which then downloads a component from:
gardinfo.net/435rg4/3245rd2.exe
This is exactly the same payload as seen in this spam run also from this morning.
6 comments:
Just got this. It was well-timed (on renewal date) and the the company name was correct, so I suspect they are scraping data for those to target from the "mi" sites.
I just got one of these this morning with the exact same attachment file name
Got one this morning do I just delete
Received this the same day I received my statement from WorldPay.
Just received this but googled the email as it didn't make sense and luckily found this thread. It was also doing the rounds in 2009.
Got this today and has a spreadsheet attached. Will delete accordingly.
Post a Comment