Sponsored by..

Monday 15 February 2016

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.


Brandi Riley


Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:


This is hosted on an IP that you can assume to be malicious: (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to: (Reg.Ru Hosting, Russia) (Cyberindo Aditama, Indonesia) (System Projects LLC, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:

1 comment:

Luke Acha said...

Seen the same format SUBJECT with similar named attachments in a recent observed phish.

over 100 attempted mail deliveries from different senders, all with the Overdue Invoice xxxxxx - COMPANY and an attachment INVOICE-USxxxxx 2015 NOV.doc.