Wednesday, 18 March 2015

unpaid invoice notification

unpaid invoice notification  being spammed with a word document.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::

Subject: December unpaid invoice notificationSubject: January unpaid invoice notification
Subject: February unpaid invoice notification
Message Body:
N/A
 Attachment:
00QTU828.doc
Sha256 Hashes:
1fc13657e71733edc8b99a45294a4d8cc50d8e634db51aa30353113c2271b413
21a4682565fa2390f904cfa564beca82558fdef173ca776b73994751104e7948
65105623e9d9b60765ba7d284109ce4052fb0fb3e1ad580f34c509d3d0824f63
0bf2c8066e653d5c56908be80b2da8ed32fd110fefdb6f4841bd22e13340fe73
35cc3141f478d2e4bb863257807dc2718876b283e2a5f1f82e6a1a0c21a5c268
4279b9773af5f39e12748476b3b1df73ddacf8f477576c32ee142cd4b7c9589a
9cb4c6dc0cf3548443290c458836097a836b1c9d78f377335868b51d89640911
8ef7f649cc1463ab8d20e2c90e15a73b93c35e15ce1f101e00ac990d05b1619c
0f6646e32d4caaaec92a07b997fe9a57e96a1e55946676efa236154864340e8b
b57c07008733788a73dd93072f3a1b8c000a05c3d03ddc7819fb01731e70164a
c2c84d7f3ea33b9f64b128d1732f8f8aa40c1129f559b962026a3b41f9c18f8f
f15178cdb159fb04d8ab3fdaf7ca49943603912c0dde9b7b7f03680246b1f05b
d9e811a39dbb7519a9d15006b65bd4c9f2c6d3dc683dbba431c45ffea1465a53
a24aca332a5be0f6fa501806b9d99f9fc761d536fd728665b6a1e70349d93d60
b92ce5e6f31b29476af0358edb01da45fad2c0a5dca23f91de28964c6c12de85
9a113f10089308942eef370ed386e1da1f4f5b3c7075e65b3019105410aa3a1f
39d2d36cb65b222599c46d2b7b0f8771f550d8d734063ae54b3d186dc64db8d6
37e4abc58302e61c83573b83fe25a3729d35e9d6d61906624ff5f7543a3270bb
a6a8fba443ff2775f8ee2ab44451275ecdf618e3b3a30bc1e7aa0ec9a5ed8d8b
b97cf49793efda94aeb74b1ca59dff14ee07e11d989da99926632aff57c6e912
bc444bb898f721d3d028501592aa8d2fcb66621058da993eaf4e2356a8e704ae
2b04ee7e0663f148aae483a67bf77225c759a6a2cd28f4014ce67f23ad78f121
5c687c52a44f39987e467648edabd1a43cea1f3d21d1a436647189bab6e2fc4c
a88d765c6bc02e647767da610c6296609c56d33548d4555eacc709c26bc94a0e
36a3a3f323823ec00501ab403492b1fa647c4a8e0e928fb1caa285011bf18282
05c4105d6ce3e4a04196d91469c1ebf98003e2993da7c410c8dafd104d9d6de6
5b697aba1a7bb50267ca868ac7acdcd8aeda42f85902c11328a2db0cc39d3ccf
7402f8496136abf374266a74eb4c84f3e17591f27ecfa1157c02f6d43652123d
1c41efaada661e3180793f405a3f339f2566bbf330cd34452f521a4384b9e313
35138a480f13345404a9b29984ff29e3e5fc2a9b9a46f400761a68f779387de4

Malware Macro document information:
VirusTotal Report [1] (Detection ratio: N/A)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

No comments: