Sponsored by..

Tuesday, 2 February 2016

Malware spam: "PURCHASE 02/02/2016 D1141" / sales@flowervision.co.uk

This spam does not come from Flower Vision but is instead a simple forgery with a malicious attachment:

From:    sales@flowervision.co.uk
Date:    2 February 2016 at 08:28
Subject:    PURCHASE 02/02/2016 D1141


FLOWERVISION






Internet Order Confirmation

Page
1/1


















Colli

Quan
Total
Price
Product
S1
S2
S3
Del.Day
Total
Remark












1
x
25
25
0.32
Hyacinthus Or Delft Blue
30
0
22
160129
8.00
Flowers London
4
x
1
4
5.50
Oasis Spray Paint Voilet
0
0
0
160129
22.00
Sundries London
2
x
10
20
1.37
Syringa V Primrose
90
0
45
160129
27.40
Flowers London
1
x
50
50
0.25
Tulipa En Antarctica
40
46
33
160129
12.50
Flowers London
1
x
50
50
0.34
Veronica Clea Diana
60
0
44
160129
17.00
Flowers London





149

86.90

Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50. This Hybrid Analysis shows the macro in the spreadsheet downloading from:

www.torinocity.it/5h4g/0oi545gfgf.exe

This binary has a detection rate of 5/51, and is the same payload as seen earlier.

2 comments:

Nyebodnye said...

also
www.fabian-enkenbach.de/5h4g/0oi545gfgf.exe

Unknown said...

I got this today, do I just block it ?