Sponsored by..

Thursday 17 December 2015

Malware spam: "Your new PHS documents are attached" / "PHSOnline [documents@phsonline.co.uk]"

This convincing-looking fake financial email does not come from PHS, but is instead a simple forgery with a a malicious attachment:

From:    PHSOnline [documents@phsonline.co.uk]
Date:    17 December 2015 at 11:48
Subject:    Your new PHS documents are attached



 
 
 
Delivery of new PHS document(s)
 
 
Dear Customer
 
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
 
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
 
Regards
 
PHS Group
 
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
 
 
Contact us
Connect with PHS: Twitter   Facebook
 
 
This email was sent by Personnel Hygiene Services Limited - a member of the PHS Group. This company is registered in England & Wales to the address: PHS Group, Block B, Western Ind Estate, Caerphilly CF83 1XH. Company Reg No: 05384799 VAT No: GB542951438
PHS Logo
 



G-A0287580036267754265.xls
70K

Effectively, this is a re-run of this spam from October.

I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54. According to the Malwr report this attempts to download a binary from:

infosystems-gmbh.de/65dfg77/kmn653.exe

At present, this download location 404s but other versions of the document will probably have different download locations.  The payload is the Dridex banking trojan, as seen several times today [1] [2] [3] [4].

No comments: