From Debbie Haydon [debbie@mvmilk.co.uk]Attached is a malicious Excel file named V414980.XLS, which is the same payload as found in this spam run also happening today.
Date Thu, 12 Nov 2015 18:04:10 +0700
Subject Invoice
Thank you for your order. Your Invoice - V414980 - is attached.
As agreed this invoice will NOT be sent via post.
If you have any questions regarding the attached invoice please telephone our office
on 01708 688422.
kind regards
From AccountsPayable@Norfolk.gov.ukAttached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.
Date Thu, 12 Nov 2015 14:09:46 +0430
Subject Remittance Advice
Dear Sir/Madam,
Please find attached your remittance advice.
Regards,
NCC
--
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
|
|||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||
 |
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase. If you have any questions about this refund, please contact Bowater Incorporated The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account. To see all the transaction details, please download and view from the link below. https://www.paypal.com/uk/cgi-
Original transaction details
Invoice Number: 59266315
PayPal |
|
|||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||
|
Please do not reply to this email because we are not monitoring this
inbox. To get in touch with us, log in to your account and click
"Contact Us" at the bottom of any page. Copyright Š 1999-2015 PayPal. All rights reserved. PayPal (Europe) S.a.r.l. et Cie, S.C.A. Societe en Commandite par Actions Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg RCS Luxemburg B 205 162 PayPal Email ID PP1479 - nsjwiqin1ob5c |
From accounts [accounts@equip4work.co.uk]Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:
Date Wed, 11 Nov 2015 14:54:33 +0400
Subject Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584
Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.
This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.
Thank you for your order.
From: no-reply@clicktravel.com [mailto:no-reply@clicktravel.com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39
Please see document attached
From "Steve McDonnell" [stevem@resimac.co.uk]I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54 and which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) in this case downloads a binary (very slowly!) from:
Date Mon, 09 Nov 2015 18:24:23 +0530
Subject OUTSTANDING INVOICES
Dear,
Please find attached invoices 1396 & 1406 which are now outstanding.
I should be grateful if you would let me know when they are going to be paid.
Kind Regards
Steve McDonnell
Company Secretary
Resimac Ltd
Unit 11, Poplars Industrial Estate
Wetherby Road, Boroughbridge
North Yorkshire, YO51 9HS
UNITED KINGDOM
Tel: +44 (0) 1423 325073
Web: www.resimacsolutions.com
We are members of...
MIB Vertical logo stacked - Bottom - North East
NOF Logo
From: Sandy Schmitt via Dropbox [no-reply@dropbox.com]
Date: 9 November 2015 at 11:41
Subject: Sandy Schmitt shared "Amendment or the Agreement_09-11-2015.zip" with you
Sandy used Dropbox to share a file with you!
Click here to view.
From: Sarah Jeffes [messages.4143072.154255.7c0a97a59f@messages.netsuite.com]
Date: 6 November 2015 at 11:55
Subject: Payment Notification
Dear Supplier,
Please find attached remittance advice for payment to be processed in your account today.
Kind Regards,
Accounts
Kind Regards Macarthur Gas Pty Ltd.
From: Kes [kerryadamson@bigpond.com]Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54 and contains this malicious macro [pastebin], which (according to this Hybrid Analysis report) downloads a binary from:
Date: 6 November 2015 at 11:07
Subject: Invoice #00004232; From Timber Solutions
Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes
From "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]The attached file is inv6219014291_0519182.zip, although I don't have a sample of that at the moment. The payload is likely to be the Upatre downloader leading to the Dyre banking trojan.
Date Fri, 6 Nov 2015 12:53:01 +0200
Subject Your latest e-invoice from TNT 4677602495 2722813
PLEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.
Please find attached your TNT Invoice. Please note that our standard payment terms
require cleared funds in our account by the 15th of the month following the month
of invoice.
IMPORTANT CONTACT DETAILS
To register an invoice query please contact us at ukinvoicequeries@tnt.co.uk
To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@tnt.com
To set up a Direct Debit plan please contact us at tntdirectdebit@tnt.co.uk
For quick and easy access to your invoices simply log in using your user name and
password to https://express.tnt.com/eInvoicing and you'll be able to view and download
your electronic invoices immediately.
If you have forgotten your user name or password please follow the above link where
you will be able to reset your log-in details. If you are experiencing any technical
issues with your e-Invoicing account please contact us at ukeinvoice@tnt.co.uk
Rest assured, we operate a secure system, so we can confirm that the invoice PDF
originates from TNT and is authenticated with a digital signature. Thank you for
using e-invoicing with TNT the smarter, faster, greener way of processing invoices.
---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete
this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment
or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s).
Print black and white and double-sided where possible.
----------------------------------------------------------------------------------
From [info@alko.co.uk]Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:
Date Thu, 05 Nov 2015 16:33:40 +0530
Subject Document from AL-KO
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)
Document from AL-KO.doc
From "Transport for London" [noresponse@cclondon.com]
Date Wed, 4 Nov 2015 14:33:44 +0100
Subject Email from Transport for London
Dear Customer
Please open the attached file to view correspondence from Transport for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
From "Documents Online Limited" [sales@documentsonline.co.uk]Attached is a password-protected ZIP file Invoice-241.zip (in the case, the password is UCZ941QXO941) which in turn contains a malicious executable Invoice-241.zip.exe (MD5 c5770e371cdfde80dc87187b249b19ea) which appears to be undetected at present.
Date Tue, 3 Nov 2015 17:24:30 +0530
Subject New Invoice from Documents Online
Dear Customer,
This is a notice that an invoice has been generated against your account, details
of the invoice are as follows:
Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer
Invoice Items
[redacted] (01/12/2015-31/12/2015) 75.00GBP
------------------------------------------------------
Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP
------------------------------------------------------
Please find attached a copy of this invoice in PDF format for your records.
IMPORTANT: Please open the attached file using your temporary password. Your temporary
password is: UCZ941QXO941
If you have a Direct Debit setup via our payment gateway GoCardless, payment will
be taken automatically on or shortly after the invoice due date. Alternatively payment
can be made in one of the following ways:
1) Online via Credit/Debit card by clicking this link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=241
2) Bank Transfer:
Lloyds TSB, PO Box 1000, BX1 1LT
Account: Documents Online Limited
Sort: 30-94-47
Account: 39921360
3) Setting up a Direct Debit using our payment gateway GoCardless by following these
steps:
a) Click this payment link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=223
(you will need your portal login details).
b) You will be presented with the invoice, click the "Create Subscription" button
top right of the invoice.
c) You will then be automatically redirected to the Go Cardless website, follow the
instructions on screen to setup a recurring direct debit payment.
Thank you for your business and we look forward to receiving your payment.
Kind Regards,
Documents Online Limited
www.documentsonline.co.uk
Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6]) containing a macro that looks like this [pastebin]. The download locations are:
From ACUVUE_DEL [ship-confirm@acuvue.com]
Date Tue, 03 Nov 2015 12:26:17 +0200
Subject Delivery Confirmation: 0068352929
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
From Margaret Wimperis [MargaretWimperis@biasbinding.com]Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro similar to this one [pastebin], which download a binary from the following locations:
Date Mon, 02 Nov 2015 18:28:23 +0700
Subject Purchase Order 37087-POR
Hi
Please confirm receipt of order
Kind regards
Margaret
-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of K. Stevens (Leicester) Ltd.
-----------------------------
From "Clare Harding" [purchasing@carterspackaging.com]Attached is a file Purchase Order 0000035394.doc which apparently comes in several different versions, although all the samples I saw had the same attachment with a VirusTotal detection rate of 5/55 and which contained this malicious macro [pastebin].
Date Fri, 30 Oct 2015 16:42:26 +0530
Subject Purchase Order 0000035394 customer 09221
Purchase Order 0000035394
Dear customer,
Please find attached a copy of our order (reference 0000035394), your
reference .
If you have any questions regarding the purchase order please contact us
using the details below.
CLARE HARDING
Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall,
TR15 3RT
Fax: +44 (0) 1209 315 600
www.carterspackaging.com
purchasing@carterspackaging.com
From: ENOM, INC. [abuse@enom.com.org]In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.
Date: 30 October 2015 at 04:11
Subject: Domain LAPTOP-MEMORY.COM Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:
Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE
Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
From: Sarah [johnson@jbrakes.com]The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Hi Morning,
Attached are the return documents.
Call me if you need anything.
See you soon. :)
Sarah
From [random]The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.
Date Wed, 28 Oct 2015 10:39:26 +0100
Subject [random]
Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up, I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks
Your invoice is attached. Please
remit payment
Thank you for your business - we appreciate it very
much.
Sincerely,
Don and Carol Racine
Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl. 32220
boatclinic@aol.com
www.boatclinic.net
phone (904) 771-8170
fax
(904) 771-0843
From: eFax [message@inbound.efax.com]
Date: 28 October 2015 at 10:08
Subject: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200
FAX_20151028_1445421437_89.doc
99K
From: DoNotReply@ikea.com
Date: 28 October 2015 at 08:57
Subject: Thank you for your order
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
£122.60Delivery date:
30-10-2015Delivery method:
ParcelforceWe will confirm your delivery date by text,email or telephone within 72 hrs.
607656390Order time:
8:31am GMTOrder/Invoice date:
30-10-2015Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return PolicyThis is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
From: frs-cms-mailer@olen.frb.orgThe attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.
Date: 27 October 2015 at 17:32
Subject: ZFRSSE - CMS Collateral Report(s) as of 10/27/2015
You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.
______________________________________________________________________
Note: This is an automated message and replies to this mailbox will not be answered. Questions concerning this message can be directed to your Federal Reserve Bank contact. This communication and all attachments hereto contain sensitive and confidential information. As a result, this communication has been encrypted in transit. This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures. If you have received this communication in error please delete or destroy all copies of it.
This message was secured in transit. ZFRSSE_20151027173233
-------------------------------------------------------------------------
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
From: Trinh [zhanxing1497kcuo@163.com]In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.
Date: 27 October 2015 at 18:30
Subject: id:9828_My_Resume
Signed by: 163.com
Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
From "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]
Date Tue, 27 Oct 2015 18:39:34 +0700
Subject RBS Cardholder Application Form
Dear Customer,
We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.
Kind regards,
Wm.
Wm Palmer
Purchase Ordering Officer
Commercial and Corporate Services
Sunderland City Council
Tel: 0191 5617588
www.sunderland.gov.uk
Sunderland City Council: Sunderland Home Page
The Sunderland City Council website is for anyone living, working, visiting or wanting
to invest in Sunderland - a great city by the sea with a balanced way of life ...
Read more...
From "credbills@denbighshire.gov.uk" [credbills@denbighshire.gov.uk]Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55. The Hybrid Analysis report shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:
Date Tue, 27 Oct 2015 17:46:01 +0530
Subject Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance
Gweler manylion taliad BACS yn atodedig
Please see attached Bacs Remittance
Dilyn ni ar Twitter: http://twitter.com/cyngorsDd Follow us on Twitter: http://twitter.com/DenbighshireCC
Ymwelwch a ni ar-lein ar http://www.sirddinbych.gov.uk Visit us online at http://www.denbighshire.gov.uk
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda. Mae cynnwys yr e-bost yn cynrychioli barn yr unigolyn(ion) a enwir uchod
ac nid yw o angenrheidrwydd yn cynrychioli barn Cyngor Sir Ddinbych. Serch hynny,
fel Corff Cyhoeddus, efallai y bydd angen i Gyngor Sir Ddinbych ddatgelu'r e-bost
hwn [neu unrhyw ymateb iddo] dan ddarpariaethau deddfwriaethol. The information contained
in this e-mail message and any files transmitted with it is intended solely for the
use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender immediately. The contents of this e-mail
represents the views of the individual(s) named above and do not necessarily represent
the views of Denbighshire County Council. However, as a Public Body, Denbighshire
County Council may be required to disclose this e-mail [or any response to it] under
legislative provisions.
