Thursday, 22 October 2015

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc

UUSCOTLAND Water Services Invoice 22 October 2015 Invoice Summary.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "UUSCOTLAND" {UUSCOTLAND@uuplc.co.uk}
Subject: Water Services Invoice
Message Body:
Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Unitedutilitiesscotland.com



Attachment:
22 October 2015 Invoice Summary.doc
Sha256 Hashes:
1b6986910dfefedc753fcec76d00c8e5e13464c6e00af4b73286437a04f11222 [1]
7349036e7e92f4468aa35d1207d5e1c646818bbec60a933b5798b295515a4787 [2]
ab229e22f51cac1cc62c676f44839f12e75f7ca70b86c92f036c979172730a21 [3]

Later Run:

3f3baaefba7dfdb7b54727e03d60c2de365c1b426885f1e9f79ad7f895d67793 [4]
df4155671632cb0c265c5c558df05490e5e54eeeb8fad1a11260b42a51b6c56e [5]
f8013369d58fbaaf15ebd320ce18510705b9462bfa0d0cf71892311d376b9cf5 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [4] (detection 4/56)
VirusTotal Report: [5] (detection 4/56)
VirusTotal Report: [6] (detection 4/56)

Malwr Report: [3]
Payload: h t t p: / / namastetravel.co.uk/t67t868/nibrd65 DOT exe


Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

2 comments:

Anonymous said...

I have received one this AM from the water company in the UK and then yesterday I received one from the police about a fine that was not paid.

what good does it do for someone to send these stupid emails.

Michael McConnell said...

Two more hashes...
df4155671632cb0c265c5c558df05490e5e54eeeb8fad1a11260b42a51b6c56e
3f3baaefba7dfdb7b54727e03d60c2de365c1b426885f1e9f79ad7f895d67793