This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:
From: no-reply@ukmail.com
Date: 23 November 2015 at 11:06
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail
The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:
www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe
This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:
157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)
The payload is likely to be the Dridex banking trojan.
MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c
Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79
I have received the exact same email today. Not opened it of course because I know what I have ordered and when I have ordered and who I have ordered from.
ReplyDeleteGoing on to the genuine UKMAIL.COM website just out of curiosity double confirms that it is spam.
AS ALWAYS, IF YOU DON'T EXPECT ANY DELIVERIES, THEN MORE THAN LIKELY YOU'RE NOT GETTING ANYTHING OTHER THAN A HEADACHE IF YOU CLICK OR DOWNLOAD ANYTHING FROM THAT EMAIL.
I also have received the same email today and fortunately it was in my Junk box otherwise I would have probably opened it as i am waiting on a couple of deliverys its so easily done....
ReplyDeleteI was lucky this time..gg
We got this today posting as a spoofed HR@.com email. With a trojan XLS included. Some weak obfuscation techniques to obscure it from automated scanners. Looks like it's been passed around from the comments (yes, there are comments included in the macro...).
ReplyDeleteIt connects to the urls noted above, scans the system for drives, including mapped shares, and then downloads TrueCrypt from their website to execute the encryption.
sorry, that was supposed to be: "HR@insert company here.com"
ReplyDeletei opened it online and nothing came up, stupid i know, i tried to download it and it just said it wont download it as it has a virus. does this mean my computer is now infected or is it okay?
ReplyDeleteAll of your documents would be gibberish if you had been infected. I think it's safe to say you're probably okay.
ReplyDeleteAh okay, thank you!
ReplyDeleteOh dear! I stupidly downloaded and opened this twice just now. What should I do to protect my computer? Appreciate any advice. Thank you!
ReplyDeleteI have received the same email today. I have opened the attachment in iphone6 . Is iphone affected?
ReplyDeleteWould Sophos software detect this. Do I actually need to do anything? I use a Mac.
ReplyDeleteAnd are all the passwords saved on Safari safe or should I change them all? I dont think I clicked to enable anything.. the xls file looked empty... but I am not sure if I was looking at it in a protected version.
ReplyDeleteThis downloads a Windows executable, so Macs and smartphones will not be impacted.
ReplyDeleteGot the same mail just now. Did not open the attachment. Will post this on my FB profile to prevent my friends from opening this mail. /John
ReplyDeleteUnfortunately, I opened it today thinking that it is associated with the mail I am expecting. My pc is windows. I scanned it with the esed online scanner. It has found some stuff called like `potential unwanted document` and deleted them. Then I scanned it again it found the same type of threats but with less number. I changed my passwords but I cant stop myself thinking about it. Any suggestions???
ReplyDeleteI´m from Germany. Got see the same mail rightnow and wondered why got Mail from UK. So fortunaly i dont open it. Should i change password?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteToday I received the same e-mail with attachment. I have not opened.
ReplyDeleteI live in the Netherlands and have a Ziggo account.