Sponsored by..

Wednesday 28 October 2015

Malware spam: "Thank you for your order" / "DoNotReply@ikea.com"

This fake order spam does not come from IKEA but is instead a simple forgery with a malicious attachment.

From:    DoNotReply@ikea.com
Date:    28 October 2015 at 08:57
Subject:    Thank you for your order


Order acknowledgement:

To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
Delivery date:
Delivery method:
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
Order time:
8:31am GMT
Order/Invoice date:
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.

Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.

Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.


The reverse.it analysis  of the first sample shows a download from:


This dropped binary has a detection rate of just 2/55.

Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:


Analysis of the dropped binary is pending. Please check back shortly.


A further reverse.it analysis shows another download location of:


The reverse.it analysis of the dropped binary is inconclusive.


According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.


Anonymous said...

what should I do when you open the attachment.

bookwormartist said...

Thanks so much for the info...got this email today, was worried about identity theft.

Unknown said...

Big thanks for this. I just got one so this info was a big help.