Sponsored by..

Friday, 22 January 2016

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

This fake delivery email is not from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    22 January 2016 at 12:14
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:

www.stijnminne.be/ghf56sgu/0976gg.exe
raeva.com.ua/ghf56sgu/0976gg.exe

This binary has a detection rate of 4/54. It is the same payload as found in this earlier spam run.

1 comment:

Ron W said...

I'm an idiot. I just received this email, and opened it. The attached excel file said it could not open in my current version of windows. Did this protect me? Or am I at risk? I see elsewhere that neither AVG nor Malware Bytes detects this item, which are the 2 anti-malware programs I use. I'm looking for advice on how, if at all, I should proceed.