Sponsored by..

Friday, 26 February 2016

Malware spam: "Your Order has been despatched from Harrison" / warehouse@harrisonproducts.net

This spam does not come from Harrison Products but is instead a simple forgery with a malicious attachment:

From     warehouse | Harrison [warehouse@harrisonproducts.net]
Date     Fri, 26 Feb 2016 18:07:04 +0500
Subject     Your Order has been despatched from Harrison

Dear Customer

Thank you for your valued Order, your Despatch Confirmation is attached

If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@harrisonproducts.net

Kind Regards

The Harrison Products Team


Harrison Products Co. Sterling House, Moreton Road, Longborough, Glos. GL56 0QJ
I have seen only one sample of this with an attachment named Order ref. 16173.xls  which has a VirusTotal detection rate of 6/55. This Malwr report plus this Hybrid Analysis for that sample shows a binary being downloaded from:

thetoyshop.by/system/logs/76tg654viun76b

There are probably other download locations too. This dropped file has a detection rate of 3/52. Those two reports indicate that this is the Dridex banking trojan. It phones home to:

203.162.141.13 (VietNam Data Communication Company, Vietnam)

I strongly recommend that you block traffic to that IP.



1 comment:

opvind said...

I've spotted a similar mail with an attachment with the same name. The system that this mail was received on did not allow any further analysis.