From: DoNotReply@ikea.com
Date: 28 October 2015 at 08:57
Subject: Thank you for your order
IKEA UNITED KINGDOMOrder acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60Delivery date:
30-10-2015Delivery method:
ParcelforceWe will confirm your delivery date by text,email or telephone within 72 hrs. Order/Invoice number:
607656390Order time:
8:31am GMTOrder/Invoice date:
30-10-2015Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return PolicyThis is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.
Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.
UPDATE 1:
The reverse.it analysis of the first sample shows a download from:
alvarezsantos.com/4f67g7/d6f7g8.exe
This dropped binary has a detection rate of just 2/55.
Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:
experassistance.fr/4f67g7/d6f7g8.exe
Analysis of the dropped binary is pending. Please check back shortly.
UPDATE 2:
A further reverse.it analysis shows another download location of:
www.retrogame.de/4f67g7/d6f7g8.exe
The reverse.it analysis of the dropped binary is inconclusive.
UPDATE 3:
According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.
3 comments:
what should I do when you open the attachment.
Thanks so much for the info...got this email today, was worried about identity theft.
Big thanks for this. I just got one so this info was a big help.
Post a Comment