From "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.
To hp_printer@victimdomain.com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
From Mabel Winter
To hp_printer@victimdomain.com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.
The payload appears to be Upatre/Dyre as seen earlier today.
1 comment:
I have also received this malware email.
From Gladys Staples
To ????????????????????????????
Sent Thu, 17 Sep 2015 12:17:26 GMT
ID 9875496
Number 2910478,6
Title B9T0 - 7D291649 Williams Companies Inc - REFURBISHMENT
Negotiation Preview Immediately upon publishing Negotiation Open Immediately upon publishing Negotiation Close September 21, 2015 10:00 am GMT Company Williams Companies Inc Subject ITT Clarifications To view the message, please open attachment.
Post a Comment