Sponsored by..

Thursday 19 November 2015

Malware spam: "[Shipping notification] N3043597 (PB UK)" / "noreply@cevalogistics.com"

This rather terse spam does not come from Ceva Logistics but is instead a simple forgery with a malicious attachment.

From:    noreply@cevalogistics.com
Date:    19 November 2015 at 10:27
Subject:    [Shipping notification] N3043597 (PB UK)
There is no body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro [pastebin] and it has a VirusTotal detection rate of 2/54. The comments on that VirusTotal report plus this Hybrid Analysis report indicate a malicious binary is downloaded from:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe

This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54 and this Hybrid Analysis report shows malicious traffic to the following IP (which I recommend you block):

182.93.220.146 (Ministry of Education, Thailand)


The payload is almost definitely the Dridex banking trojan.

No comments: