This spam does not come from
Flower Vision but is instead a simple forgery with a malicious attachment:
From: sales@flowervision.co.uk
Date: 2 February 2016 at 08:28
Subject: PURCHASE 02/02/2016 D1141
FLOWERVISION
|
|
|
|
|
|
|
Internet Order Confirmation
|
|
Page
|
1/1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Colli
|
|
Quan
|
Total
|
Price
|
Product
|
S1
|
S2
|
S3
|
Del.Day
|
Total
|
Remark
|
|
|
|
|
|
|
|
|
|
|
|
|
1
|
x
|
25
|
25
|
0.32
|
Hyacinthus Or Delft Blue
|
30
|
0
|
22
|
160129
|
8.00
|
Flowers London
|
4
|
x
|
1
|
4
|
5.50
|
Oasis Spray Paint Voilet
|
0
|
0
|
0
|
160129
|
22.00
|
Sundries London
|
2
|
x
|
10
|
20
|
1.37
|
Syringa V Primrose
|
90
|
0
|
45
|
160129
|
27.40
|
Flowers London
|
1
|
x
|
50
|
50
|
0.25
|
Tulipa En Antarctica
|
40
|
46
|
33
|
160129
|
12.50
|
Flowers London
|
1
|
x
|
50
|
50
|
0.34
|
Veronica Clea Diana
|
60
|
0
|
44
|
160129
|
17.00
|
Flowers London
|
Attached is a file
SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of
1/50. This
Hybrid Analysis shows the macro in the spreadsheet downloading from:
www.torinocity.it/5h4g/0oi545gfgf.exe
This binary has a detection rate of
5/51, and is the
same payload as seen earlier.
2 comments:
also
www.fabian-enkenbach.de/5h4g/0oi545gfgf.exe
I got this today, do I just block it ?
Post a Comment