“TP E-Billing for Jul 15 Seq No 0006 (0866AER147) Region 033” docm Spam run

Another load of spam today… Once again using .docm files which are already blocked across “my estate”.

From: ebilling@travisperkins.co.uk
Subject: TP E-Billing for Jul 15 Seq No 0006 (0866AER147) Region 033
Attachment: 0866AER147.docm

Please find the following attached E-Billing documents:

Jul 15 Seq No 0006 – Invoice 0866AER147

The attachment, 0866AER147.docm, is here:
SHA256 7e7d9c85d253b5ef66ef42ea7fa1f4fa5d60133c5066f2ee34b51b2490ce0da6
VirusTotal Report

When macros are enabled the document downloads:

http://technibaie.net/yffd/yfj.exe
SHA256 4780f07a4646c83fb376864898194887930c48b2328ce73e5b3a133ecd7bd1e0
VirusTotal Report / Malwr Report

This spam run is related to another one with a different subject and content of e-mail:
https://thecomputerperson.wordpress.com/2015/07/27/docm-spear-phisihing-copy-as-requested/

Other variants of this e-mail are now coming through with the following sender and subjects:

Sender: donotreply@royal-canin.fr
Subject: Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
Date: Mon 27/07/2015 14:03
(Contains an attachment detected as Trojan.MSWord.Agent.as)

 

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to “TP E-Billing for Jul 15 Seq No 0006 (0866AER147) Region 033” docm Spam run

  1. Pingback: *.docm Spam run “copy” “As requested” | thecomputerperson

  2. Pingback: More docm spam “E-bill : 6200228913 – 31.07.2015 – 0018″ | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s