Sponsored by..

Tuesday 3 November 2015

Malware spam: "New Invoice from Documents Online" / "Documents Online Limited" [sales@documentsonline.co.uk]

This fake financial spam has a malicious attachment:

From     "Documents Online Limited" [sales@documentsonline.co.uk]
Date     Tue, 3 Nov 2015 17:24:30 +0530
Subject     New Invoice from Documents Online

Dear Customer,

This is a notice that an invoice has been generated against your account, details
of the invoice are as follows:

Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer

Invoice Items

[redacted] (01/12/2015-31/12/2015) 75.00GBP

Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP

Please find attached a copy of this invoice in PDF format for your records.

IMPORTANT: Please open the attached file using your temporary password. Your temporary
password is: UCZ941QXO941

If you have a Direct Debit setup via our payment gateway GoCardless, payment will
be taken automatically on or shortly after the invoice due date. Alternatively payment
can be made in one of the following ways:

1) Online via Credit/Debit card by clicking this link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=241

2) Bank Transfer:

    Lloyds TSB, PO Box 1000, BX1 1LT
    Account: Documents Online Limited
    Sort: 30-94-47
    Account: 39921360

3) Setting up a Direct Debit using our payment gateway GoCardless by following these

a) Click this payment link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=223
(you will need your portal login details).
b) You will be presented with the invoice, click the "Create Subscription" button
top right of the invoice.
c) You will then be automatically redirected to the Go Cardless website, follow the
instructions on screen to setup a recurring direct debit payment.

Thank you for your business and we look forward to receiving your payment.

Kind Regards,

Documents Online Limited
Attached is a password-protected ZIP file Invoice-241.zip (in the case, the password is UCZ941QXO941) which in turn contains a malicious executable Invoice-241.zip.exe (MD5 c5770e371cdfde80dc87187b249b19ea) which appears to be undetected at present.

Analysis of the binary is pending, but it will be nothing good.

This Hybrid Analysis report shows traffic consistent with Upatre dropping the Dyre banking trojan, including traffic to the well known bad IP of: (Cobranet, Nigeria)

No comments: