This fake shipping spam does not come from
Transglobal Express but is instead a simple forgery with a malicious attachment.
From: sales@transglobalexpress.co.uk
Date: 7 December 2015 at 09:28
Subject: Transglobal Express - Shipping Documentation (TG-1569311)
 |
 |
Your Shipping Documentation for - TG-1569311
|
ORDER SUMMARY
|
Booking Ref:
|
TG-1569311
|
|
Destination Country:
|
UK
|
Service:
|
UPS Express Saver
|
|
Collection date:
|
04/12/2015
|
|
|
Your Shipping Label (Air Waybill)
|
Please find your Shipping Label for the above order attached.
- Print two copies of your label(s). Securely attach one copy to your parcel and give one to the UPS driver upon collection.
- Please use the label(s) we have provided to avoid any unwanted billing complications with UPS.
|
|
Don't have a printer? Please get in touch with us and we'll be happy to post your documentation to you.
|
You can access all order information and documentation via your My Account area on our website. You can track your parcel using your UPS Air Waybill number via our easy-to-use tracking page. |
|
|
You can calculate your estimated transit time by visiting our Transit
Times page and entering your collection and delivery postcode into the transit time calculator tools for your carrier. Please note that transit times do not account for customs delays. |
|
|
SECURITY - Please note that your consignment may be subject to X-Ray and/or opened for inspection.
|
GET IN TOUCH!
|
|
|
Many thanks for your order,
Your Customer Services Team
For parcel delivery tips, special offers and up-to-the-minute industry news,
follow us on Twitter @TransGlobalExpr and like us on Facebook. |
All work is undertaken subject to our standard Terms and Conditions of carriage (BIFA 2005) which limit our liability.
Copies are available on request or can be downloaded from our web site: www.transglobal.org.uk |
|
|
|
 |
| 1569311-1Z2X12A50495162278.doc
59K |
|
|
|
Attached is a file
1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of
7/55 and which contains
this malicious macro [pastebin]. According to
this Malwr report, the macro downloads a binary from:
www.lama.rs/87tr65/43wedf.exe
This has a VirusTotal detection rate of just
1/54. Those two reports plus this
Hybrid Analysis indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.
MD5s:
fd7b410fd7936dd51c4b72ef4047c639
b55d33d92aa95d563e13c57c3bfc2dfe
afdsafadsfd
2 comments:
also seeing traffic to maklu[.]be/87tr65/43wedf[.]exe
Thanks! Just got this email in my inbox.
Post a Comment