Sponsored by..

Monday 2 November 2015

Malware spam: "Purchase Order 37087-POR" / "Margaret Wimperis [MargaretWimperis@biasbinding.com]"

This fake financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple forgery with a malicious attachment.

From     Margaret Wimperis [MargaretWimperis@biasbinding.com]
Date     Mon, 02 Nov 2015 18:28:23 +0700
Subject     Purchase Order 37087-POR

Please confirm receipt of order
Kind regards

K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of  K. Stevens (Leicester) Ltd.

Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro similar to this one [pastebin], which download a binary from the following locations:


This binary has a detection rate of 4/55 and according that that VirusTotal report, this reverse.it report this Malwr report it contacts the following IP: (DigitalOcean, Singapore)

I strongly recommend that you block that IP. The payload is likely to be the Dridex banking trojan.


1 comment:

Glissando said...

JUst got one of those. Blocked, unopened. Thank you.