Sponsored by..

Wednesday 24 February 2016

Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From:    DoNotReply@ikea.com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!

Order acknowledgement:

To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
Delivery date:
Delivery method:
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
Order time:
8:31am GMT
Order/Invoice date:
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.


Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

1 comment:

Jay said...

Thank you. I just received this email and I used my iPhone to read it. I clicked the invoice number and my phone just called the invoice number. Does that mean I opened the malicious document? Will my phone be infected :( ?