This one looks very well targeted. The title, attachment and content of the e-mail look very genuine and as if it were a real bill.
Subject: Your latest Chess Bill Is Ready
Your bill summary
Account number: 24583
Invoice Number: 2398485
Bill date: July 2015
How can I view my bills?
Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account http://www.chesstelecom.com/myaccount Forgotten your sign in details?
If you’ve forgotten your sign in details, no problem, you can reset these by choosing http://www.chesstelecom.com/lost_password.
Making payments is easy!
If you want to make a credit or debit card payment you can do online by choosing http://www.chesstelecom.com/online_payment
You don’t need to do anything if you pay by direct debit, we will collect your payment automatically on or after 30th June. If you pay by cheque, details of how to pay us are available on the invoice.
Switch to Direct Debit today and you’ll save at least £60.00 a year, simply call our dedicated team on 0844 770 6060.
Anything else you’d like to know?
Why not visit our support section at http://www.chesstelecom.com/support.
This e-mail has been sent from a Mailbox belonging to Chess Telecom, registered office Bridgford House, Heyes Lane, Alderley Edge, Cheshire, SK9 7JP.
Registered in England, number 2797895. Its contents are confidential to the intended recipient.
If you receive in error, please notify Chess Telecom on
+44 (0)800 019 8900 immediately quoting the name of the sender, the
address to which it has been sent and then delete it; you may not rely on its contents nor copy/disclose it to anyone.
Opinions, conclusions and statements
of intent in this email are those of the sender and will not bind Chess Telecom unless confirmed by an authorised representative independently of this message.
We do not accept responsibility for viruses; you must scan for these.
note that emails sent to and from Chess Telecom are routinely monitored for record keeping, quality control and training purposes, to ensure regulatory compliance and to prevent viruses and unauthorised use of our computer systems.
Thank you for your co-operation.
Quotations are subject to terms and conditions, exclude VAT and are subject to site survey.
Needless to say my investigations prove it is a bit of junk. The message I was sent came from a server in Italy and the attachment is blank apart from a macro.
As per my previous recommendations.. I would block .docm files at your e-mail gateway.
When the .docm is run with Macros enabled it made a request to:
It copied itself to C:\Users\User\AppData\Local\G4E0zMlT\jYZrTrYu.exe and then ran. The last two sections are probably randomly generated.
The payload then started communicating with:
The certificate for the communications was only generated “31 July 2015 10:26:41” so within the last couple of hours of me researching.
The certificate also contains interesting words which might link it with an earlier interesting certificate run.
CN = anithwereor.uk
OU = obamacare
O = democracy
L = Houston
S = TX
C = US
Another CnC server seen was:
This server has a certificate generated slightly earlier “31 July 2015 10:18:52”
With CN = trtheawa.ml but the same obamacare OU and address.