Sponsored by..

Thursday 17 December 2015

Malware spam: "Your new PHS documents are attached" / "PHSOnline [documents@phsonline.co.uk]"

This convincing-looking fake financial email does not come from PHS, but is instead a simple forgery with a a malicious attachment:

From:    PHSOnline [documents@phsonline.co.uk]
Date:    17 December 2015 at 11:48
Subject:    Your new PHS documents are attached

Delivery of new PHS document(s)
Dear Customer
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
PHS Group
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
Contact us
Connect with PHS: Twitter   Facebook
This email was sent by Personnel Hygiene Services Limited - a member of the PHS Group. This company is registered in England & Wales to the address: PHS Group, Block B, Western Ind Estate, Caerphilly CF83 1XH. Company Reg No: 05384799 VAT No: GB542951438
PHS Logo


Effectively, this is a re-run of this spam from October.

I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54. According to the Malwr report this attempts to download a binary from:


At present, this download location 404s but other versions of the document will probably have different download locations.  The payload is the Dridex banking trojan, as seen several times today [1] [2] [3] [4].

No comments: