Sponsored by..

Monday 10 August 2015

Malware spam: "Premium Charging MI Package for Merchant 17143013" / "GEMS@worldpay.com"

This fake financial email does not come from Worldpay but is instead a simple forgery with a malicious attachment:

From:    GEMS@worldpay.com
Date:    10 August 2015 at 10:17
Subject:    Premium Charging MI Package for Merchant 17143013

*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

So far I have seen only one sample with named 17143013 01.docm. Despite having a detection rate of 5/55 at VirusTotal, the document is malformed and is Base 64 encoded. When manually decoded it still has a detection rate of 5/55 and it contains this malicious macro [pastebin] which then downloads a component from:


This is exactly the same payload as seen in this spam run also from this morning.


Jason said...

Just got this. It was well-timed (on renewal date) and the the company name was correct, so I suspect they are scraping data for those to target from the "mi" sites.

RT said...

I just got one of these this morning with the exact same attachment file name

Unknown said...

Got one this morning do I just delete

Troy said...

Received this the same day I received my statement from WorldPay.

Mayles said...

Just received this but googled the email as it didn't make sense and luckily found this thread. It was also doing the rounds in 2009.

Unknown said...

Got this today and has a spreadsheet attached. Will delete accordingly.