Sponsored by..

Tuesday, 24 November 2015

Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested


Paulette Riley


New Hope Specialist Care Ltd
126 Brook Road
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

This email has been checked for viruses by Avast antivirus software.

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.


These two Hybrid Analysis reports [1] [2] show a download from the following locations:


This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to: (Trinity College Hartford, US) (Agava Ltd, Russia) (Elvsoft SRV, Romania / Coreix, UK) (SuperNetwork, Czech Republic)


Recommended blocklist:


Sarah Slater said...

Just received one of these this morning. We appear to be getting several emails a week from various addresses that are trying to access the software. It is very frustrating.

Sarah Slater said...
This comment has been removed by the author.