Sponsored by..

Wednesday, 27 January 2016

Malware spam: "Invoice 9210" / Dawn Salter [dawn@mrswebsolutions.com]

This make financial spam is not from MRS Web Solutions Ltd  but is instead a simple forgery with a malicious attachment.

From     Dawn Salter [dawn@mrswebsolutions.com]
Date     Wed, 27 Jan 2016 19:04:27 +0530
Subject     Invoice 9210

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards

Dawn

Dawn Salter
Office Manager

Tel:
DDI:
Web:


+44 (0)1252 616000 / +44 (0)1252 622722
+44 (0)1252 916494
www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ


[Google Partner]

[BPMA Chartered Supplier]

[Facebook]

[LinkedIn]

[Twitter]

[Google Plus]


DISCLAIMER: This e-mail and attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions presented
are solely those of the author and do not necessarily represent those of MRS Web
Solutions Limited. If you are not the intended recipient, be advised that you have
received this e-mail in error and that any use, dissemination, forwarding, printing,
or copying of this e-mail is strictly prohibited. If this transmission is received
in error please notify the sender immediately and delete this message from your e-mail
system. All electronic transmissions to and from MRS Web Solutions Ltd are recorded
and may be monitored.Company Registered in England No. 3900283. VAT GB733622153.


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The attachment is named 9210.doc which I have seen come in three versions (VirusTotal [1] [2] [3]). The Malwr reports for those [4] [5] [6] shows executable download locations at:

www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
www.hartrijders.com/54t4f4f/7u65j5hg.exe
grudeal.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 1/53 and an MD5 of  9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

This is the same IP as seen in this earlier spam run, I recommend you block it.

3 comments:

Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
Unknown said...

Hi, thank you for posting this. Any invoices received should be deleted and we are of course working to rectify any issues. We will keep the website and social media up-to-date http://www.mrswebsolutions.com/