Sponsored by..

Thursday 24 March 2016

Malware spam: "Your order has been despatched" / customer.service@axminster.co.uk

This fake financial spam does not come from Axminster Tools & Machinery, but is instead a simple forgery with a malicious attachment:

From:    customer.service@axminster.co.uk
Date:    24 March 2016 at 10:11
Subject:    Your order has been despatched

Dear Customer

The attached document* provides details of items that have been packed and are ready for despatch.

Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.

Customer Services (for customers in the UK mainland)
Call: 03332 406406
Email: cs@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 6pm
Saturday: 9am - 5pm

Export Sales (for customers outside UK mainland)
Call: +44 1297 33666
Email: exportsales@axminster.co.uk

Opening Hours:
Mon - Fri: 8am - 5.30pm (GMT)

Kind regards

Axminster Tools & Machinery
Unit 10 Weycroft Avenue, Axminster EX13 5PH

* In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/products/acrobat/readstep2.html
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive [3] [4] [5] [6], however a manual analysis of the macros contained within [7] [8]  shows download locations at:


This binary has a detection rate of 6/56 and the Deepviz Analysis and Hybrid Analysis show network traffic to: (Bright House Networks, US) (Level 3 Communications US, / Impsat, Argentina) (FHU Climax Rafal Kraj, Poland) (Dataconstructs, US) (TE Data, Egypt) (Contabo, Germany) (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands) (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine) (Hetzner, Germany) (LetsHost, Ireland)

It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.


Some additional download locations from another source (thank you!)


Recommended blocklist:


Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
Unknown said...

What does all that actually mean? I stupidly clicked the link as I'd literally just got off the phone to a company l've made an online purchase with as it had been 2 days since I placed and paid for the order and I hadn't received a confirmation email. The lady on the phone said they hadn't linked my email to my account so that's why I didn't receive confirmation but she said my order was already dispatched and she would resend the invoice for my record. I got the email detailed in this post as soon as I hung up the phone so I assumed it was from them, although I didn't recognise the company name the lady told my they use several different companies as distributors. Got the email I was expecting about 30 mins after but I'd already clicked on the link in the dodgy email. That's using an iPhone, is there any risk and how would I know if it's been affected...?

Conrad Longmore said...

@Neil, this drops Windows malware so your iPhone will be OK. The scenario you describe is exactly the sort of confusion that the bad guys are trying to exploit..they are pretty good at manipulating people!

Unknown said...

One more location for your list - fiddler showed it was trying to go here for my case - macxinterior.com/76f45e5drfg7.exe