Sponsored by..

Monday 26 October 2015

Malware spam: "Your new PHS documents are attached" / "PHSOnline" [documents@phsonline.co.uk]

This spam does not come from PHSOnline, but is instead a simple forgery with a malicious attachment.

From     "PHSOnline" [documents@phsonline.co.uk]
Date     Mon, 26 Oct 2015 20:28:50 +0700
Subject     Your new PHS documents are attached
I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in three different versions (VT results [1] [2] [3]) containing a macro like this [pastebin] which downloads a malicious binary from one of the following locations:


The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55. The Hybrid Analysis report for this binary shows it downloading from the following location: (Online SAS / Iliad Entreprises / Poney Telecom, France)

This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the same as the one use in this earlier attack, but the payload has now changed.

1 comment:

Trenk said...

I received it today. The email doesn't look as regular spam emails, this one looks very professionally, nicely formatted, header with a good looking logo...

Attachment name is G-A0287580036267754265.xls
The text body is as follows:

Delivery of new PHS document(s)

Dear Customer

Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.

We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.


PHS Group

To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.