Sponsored by..

Tuesday 25 August 2015

Malware spam: "Visa Card Aug 2015" / "david@ellesmere.engineering"

This fake financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment.

From     [david@ellesmere.engineering]
To     "'Sharon Howarth'" [sharon@ellesmere.engineering]
Date     Tue, 25 Aug 2015 09:52:47 +0200
Subject     Visa Card Aug 2015

Visa Card payments this month

This email has been checked for viruses by Avast antivirus software.

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of three malicious macros [1] [2] [3] that then attempt to download a malicious binary from one of the following locations:


This executable has a detection rate of just 1/55 and the Malwr report shows network traffic to: (Hostpro Ltd, Ukraine)

I strongly recommend that you block that IP address. The payload to this is almost definitely the Dridex banking trojan.



Alan M said...

Thank you for the explanation. I suddenly started getting scores of these. Fortunately, probably not too much of a threat to Mac users, if the payload is .exe files?

Alan M.

Conrad Longmore said...

@Alan M: yes, the payload is a Windows .exe file, Macs will be safe. I have seen a huge number of these today as well..

Ranjan said...

I have also received one similar to this. Thanks for the malwr analysis report.

Unknown said...


Firstly Apologies for and problems caused.

I currently Work for the company in question. We are a HVCA Company based in Manchester and became aware of this problem this morning.

We have been inundated with phone calls warning us about this problem, coming from as far away as France & Sweden.

We are running Kaspersky Small Office across all PC's and Servers and all Machines are reported as clean.

The Email Address david@ellesmere.engineering has been bombarded with "Bounce Backs" to the tune of 20,500, and blocked the Server of our Email Provider.

Any ideas on how to block this would be appreciated and also and ideas how to stop it recurring in the future.