Convincing virus e-mail “Your latest Chess Bill Is Ready”

This one looks very well targeted. The title, attachment and content of the e-mail look very genuine and as if it were a real bill.

Subject: Your latest Chess Bill Is Ready
Attachment: 2015-07-Bill.docm

Your bill summary
Account number: 24583
Invoice Number: 2398485
Bill date: July 2015
Amount: £17.50
How can I view my bills?
Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account Forgotten your sign in details?

If you’ve forgotten your sign in details, no problem, you can reset these by choosing

Making payments is easy!

If you want to make a credit or debit card payment you can do online by choosing
You don’t need to do anything if you pay by direct debit, we will collect your payment automatically on or after 30th June. If you pay by cheque, details of how to pay us are available on the invoice.
Switch to Direct Debit today and you’ll save at least £60.00 a year, simply call our dedicated team on 0844 770 6060.
Anything else you’d like to know?

Why not visit our support section at
This e-mail has been sent from a Mailbox belonging to Chess Telecom, registered office Bridgford House, Heyes Lane, Alderley Edge, Cheshire, SK9 7JP.
Registered in England, number 2797895. Its contents are confidential to the intended recipient.
If you receive in error, please notify Chess Telecom on
+44 (0)800 019 8900 immediately quoting the name of the sender, the
address to which it has been sent and then delete it; you may not rely on its contents nor copy/disclose it to anyone.
Opinions, conclusions and statements
of intent in this email are those of the sender and will not bind Chess Telecom unless confirmed by an authorised representative independently of this message.
We do not accept responsibility for viruses; you must scan for these.
note that emails sent to and from Chess Telecom are routinely monitored for record keeping, quality control and training purposes, to ensure regulatory compliance and to prevent viruses and unauthorised use of our computer systems.
Thank you for your co-operation.

Quotations are subject to terms and conditions, exclude VAT and are subject to site survey.


Needless to say my investigations prove it is a bit of junk. The message I was sent came from a server in Italy and the attachment is blank apart from a macro.

SHA256 99313f05213cdc82bf15abfe4120711e4ac7ea1d8da19e7c1a31e1114eb1d1c6
VirusTotal Report

As per my previous recommendations.. I would block .docm files at your e-mail gateway.

When the .docm is run with Macros enabled it made a request to:
SHA256 a34e7b8cb971705966e4b260d0936cf17d36f4542bce5f870284321f322901a5
VirusTotal Report
t copied itself to C:\Users\User\AppData\Local\G4E0zMlT\jYZrTrYu.exe and then ran. The last two sections are probably randomly generated.

The payload then started communicating with:

The certificate for the communications was only generated “‎31 ‎July ‎2015 10:26:41” so within the last couple of hours of me researching.
Thumbprint: 333e215f805480e6de39231b96fe6a64e9611a22

The certificate also contains interesting words which might link it with an earlier interesting certificate run.

CN =
OU = obamacare
O = democracy
L = Houston
S = TX
C = US

Another CnC server seen was:
This server has a certificate generated slightly earlier “‎31 ‎July ‎2015 10:18:52”
Thumbprint: ‎68f0a2ef0a7eadc2e055203327309ba7abdb8b61
With CN = but the same obamacare OU and address.

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Convincing virus e-mail “Your latest Chess Bill Is Ready”

  1. Pingback: More docm spam “E-bill : 6200228913 – 31.07.2015 – 0018″ | thecomputerperson

  2. Pingback: “IMPORTANT – Document From Ofcom Spectrum Licensing” docm virus spam | thecomputerperson

  3. Pingback: “Booking Confirmation – Accumentia (16/9/15)” .doc macro attachment virus | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s