Virus e-mail “ATTN: Outstanding Invoices – [37B4C3] [April|May]”

I’ve had two emails today to different addresses with subject lines similar to:

“ATTN: Outstanding Invoices – [4AF8F5] [April|May]”
and
“ATTN: Outstanding Invoices – [37B4C3] [April|May]”

Both contained a .xls attachment.
SHA256: 18c1edd9dd7082ad33ed2663f0401f0a3dcd23933fe5d44ab5b506879d5311aa
SHA256: ec269eb075525d99c32265a5df78b16e308041c8edd5ffd0537571fc830816c2
VirusTotal Report which is currently undetected by all antivirus products.

“41160f6_37B4C3.xls” and “d4cb3b62_4AF8F5.xls”

The 41160f6 and d4cb3b62 (the bit before the _) contains the start of the address it was sent to. For example thecomputerperson_83F32F.xls

As with a lot of these files I’ve had through recently, the attachment appears to be corrupt so no further analysis can be undertaken in Excel.

When opened in notepad the leaks a few things such as the folder it was made in:
file:///C:/EC2C4CD9 aka. C:\EC2C4CD9

Some files seem to reference file:///C:/EC2C4CD1/1.htm and another referenced file:///C:/EC2C4CD9/9.htm. This might suggest there is at least 9 variants of the corrupt excel file they are sending.

The full content can be found here:

https://pastebin.mozilla.org/8833190

Headers here:

Received: from [146.88.43.122] (Unknown [146.88.43.122])	by
 my.server.here with ESMTP	; Tue, 12 May 2015 10:39:06 +0100
Message-ID: <76E290C5.5349444@pnkh.net>
Date: Tue, 12 May 2015 16:39:05 +0700
From: Concetta Gibson <Josephine.410@pnkh.net>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: <41160f6@mydomain.domain>
Subject: ATTN: Outstanding Invoices - [37B4C3] [April|May]
Content-Type: multipart/mixed;
	boundary="------------439971592007262617349636"
Return-Path: Josephine.410@pnkh.net

Received: from 214.116.244.87.dyn.jtglobal.com (Unknown [87.244.116.214])	by
 my.server.here with ESMTP	; Tue, 12 May 2015 10:33:10 +0100
Message-ID: <397F3E5F.5772347@jtglobal.com>
Date: Tue, 12 May 2015 10:33:07 +0100
From: Mindy Mccullough <Kelly.dfe@jtglobal.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: <d4cb3b62@mydomain.domain>
Subject: ATTN: Outstanding Invoices - [4AF8F5] [April|May]
Content-Type: multipart/mixed;
	boundary="------------103609058165041523342951"
Return-Path: Kelly.dfe@jtglobal.com

Received: from 177-0-37-184.gnace703.e.brasiltelecom.net.br
 (177-0-37-184.gnace703.e.brasiltelecom.net.br [177.0.37.184]) by
 my.server.here with ESMTP ; Tue, 12 May 2015 13:43:55 +0100
Message-ID: <8AE5F5DA.7730387@brasiltelecom.net.br>
Date: Tue, 12 May 2015 09:43:34 -0200
From: Frances Moreno <Roslyn.745@brasiltelecom.net.br>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: <myaddress@mydomain.extension>
Subject: ATTN: Outstanding Invoices - [83F32F] [April|May]
Content-Type: multipart/mixed;
 boundary="------------165998587139610237710802"
Return-Path: Roslyn.745@brasiltelecom.net.br
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Virus e-mail “ATTN: Outstanding Invoices – [37B4C3] [April|May]”

  1. Pingback: “Important information” virus email | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s