Sponsored by..

Friday 30 October 2015

Malware spam: "Purchase Order 0000035394 customer 09221" / "Clare Harding" [purchasing@carterspackaging.com]

This fake financial spam does not come from Carters Packaging Ltd but is instead a simple forgery with a malicious attachment.

From     "Clare Harding" [purchasing@carterspackaging.com]
Date     Fri, 30 Oct 2015 16:42:26 +0530
Subject     Purchase Order 0000035394 customer 09221

Purchase Order 0000035394

Dear customer,

Please find attached a copy of our order (reference 0000035394), your
reference .

If you have any questions regarding the purchase order please contact us
using the details below.


Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall,
TR15 3RT
Fax: +44 (0) 1209 315 600

Attached is a file Purchase Order 0000035394.doc which apparently comes in several different versions, although all the samples I saw had the same attachment with a VirusTotal detection rate of 5/55 and which contained this malicious macro [pastebin].

Download locations for all the document versions (h/t to my source) are:


It looks like this is saved as %TEMP%\httsser.exe and it has a VirusTotal detection rate of 5/55. That VirusTotal report and this reverse.it report show that it generates network traffic to: (Ho Chi Minh City Post and Telecom Company, Vietnam)

I strongly recommend that you block access to that IP. The payload appears to be the Dridex banking trojan.


Carters Packaging are on the ball and have put a big notice on their site, which is nice work.

1 comment:

Unknown said...

Hi guys, thanks for your kind words and knowledgeable report. Just to confirm we are not responsible for the email message, and our servers are not sending out the email, we have just been used as the forefront for the attack. Messages have been sent out from all over the globe but we offer our apologies for this matter. We thank everyone for their patience and understanding in this headache of a day.

Thanks again,
Carters Packaging