This fake financial spam does not come from
GS Toilet Hire but is instead a simple forgery with a malicious attachment. In other words, if you open it.. you will be in the sh*t.
From: GS Toilet Hire [donotreply@sageone.com]
Date: 3 February 2016 at 09:12
Subject: GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
Good morning
Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.
Kind regards,
Linda Smith
Office, GS Toilet Hire
Direct enquiries
Glenn Johnson
07930 391 011
I have seen two samples of this, both with an attachment named
Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like
invoice_id6395788111.js. The two samples that I have seen have low detection rates
[1] [2] containing some highly obfuscated scripts
[3] [4] which according to these analyses
[5] [6] [7] downloads a binary from one of the following locations:
obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe
(also
www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from
this related spam run)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of
5/49 and this
Hybrid Analysis shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you block all traffic to that IP, and possibly the
91.239.232.0/22 block in which it resides.
UPDATE
The same spam is being sent out with a more traditional DOC attachment,
Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal
[1] [2]) which according to these Malwr reports
[3] [4] downloads a binary from the following locations:
xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe
(also
best-drum-set.com/43rf3dw/34frgegrg.exe from this
later spam run)
This is a different binary from before, with a detection rate of
4/53. It still phones home to the same location.