Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-25 #locky email phishing campaign "A/C xxxxxxxxx - Overdue Invoice"
- Email sample:
- ------------------------------------------------------------------------------------------------------------
- From: "TOLER, PATRICA" <PATRICA.TOLER@macmillan.com>
- To: [REDACTED]
- Subject: A/C 0000055725 - Overdue Invoice
- Date: Fri, 25 Nov 2016 01:13:05 +0200
- Good Morning,
- Please see attached invoice
- The balance of 84.67 is overdue for payment, please can you confirm a payment date?
- Kind Regards,
- PATRICA Wood on behalf of Gail Russell
- Credit Services
- Macmillan Distribution MDL
- Direct Line 0044 1256 302661
- Direct Fax 0044 1256 363223
- PATRICA.TOLER@macmillan.com
- http://www.macmillandistribution.co.uk
- ********************************************************************************
- DISCLAIMER: This e-mail is confidential and should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage mechanism. Neither Macmillan Publishers Limited nor Macmillan Publishers International Limited nor any of their agents accept liability for any statements made which are clearly the sender's own and not expressly made on behalf of Macmillan Publishers Limited or Macmillan Publishers International Limited or one of their agents.
- Please note that neither Macmillan Publishers Limited nor Macmillan Publishers International Limited nor any of their agents accept any responsibility for viruses that may be contained in this e-mail or its attachments and it is your responsibility to scan the e-mail and attachments (if any). No contracts may be concluded on behalf of Macmillan Publishers Limited or Macmillan Publishers International Limited or their agents by means of e-mail communication.
- Macmillan Publishers Limited. Registered in England and Wales with registered number 785998. Macmillan Publishers International Limited. Registered in England and Wales with registered number 02063302.=20
- Registered Office Brunel Road, Houndmills, Basingstoke RG21 6XS
- Pan Macmillan, Priddy and MDL are divisions of Macmillan Publishers International Limited.
- Macmillan Science and Education, Macmillan Science and Scholarly, Macmillan Education, Language Learning, Schools, Palgrave, Nature Publishing Group, Palgrave Macmillan, Macmillan Science Communications and Macmillan Medical Communications are divisions of Macmillan Publishers Limited.
- ********************************************************************************
- Attachment: "Documents Requested.zip" -> KsLQFye3454.vbs
- ------------------------------------------------------------------------------------------------------------
- - sender differs between emails, but the email address is faked to come from @macmillan.com
- - subject is "A/C <9-10 digits> - Overdue Invoice"
- - attached file "Documents Requested.zip" contains file "<11 random chars>.vbs", a VBScript downloader
- Download sites:
- http://easylation.com/8yneev
- http://medicariel.com/8yneev
- http://prongai.com/8yneev
- http://reginaautoauction.com/8yneev
- http://regionalclaimsrecovery.com/8yneev
- http://revecent.com/8yneev
- http://rgbserver.be/8yneev
- http://right-livelihoods.org/8yneev
- http://roadratroberts1.bravepages.com/8yneev
- http://roadtex.ro/8yneev
- http://rooana.com/8yneev
- http://room8008.com/8yneev
- http://ryrszs.com/8yneev
- http://saintsraw.com/8yneev
- http://sallymills.com/8yneev
- http://sandat-bali.com/8yneev
- http://satherm.pt/8yneev
- http://sayvir.com/8yneev
- http://secotral.fr/8yneev
- http://shenzhensh.com/8yneev
- http://shydnt.com/8yneev
- http://sienaert.org/8yneev
- http://signumtte.net/8yneev
- http://siken3d.com/8yneev
- http://simbasnacks.com/8yneev
- http://sineria.com/8yneev
- http://sinmotor.com/8yneev
- http://sipho.es/8yneev
- http://smartcandle.ie/8yneev
- http://square100.com/8yneev
- http://sreekrishnatemple.com/8yneev
- http://stamperia.pl/8yneev
- http://stevetoulch.com/8yneev
- http://stomatolog-implant.ro/8yneev
- http://sujiaotuoban.com/8yneev
- http://supplyglassess.com/8yneev
- http://swkitchens.com.au/8yneev
- http://tamsoon.net/8yneev
- http://tarasarl.com/8yneev
- http://tehrankhabar.ir/8yneev
- http://theoneworld.in/8yneev
- http://thoraxcenter.ru/8yneev
- http://topfs.ru/8yneev
- http://touchasoul.org/8yneev
- http://tranfield.me.uk/8yneev
- http://trikeneigh.net/8yneev
- http://unimarket.ch/8yneev
- http://union1.cn/8yneev
- http://vanaken.nu/8yneev
- http://velolenta.com/8yneev
- http://visona.pl/8yneev
- http://vkurorti.ru/8yneev
- http://www.tulplast.de/8yneev
- Malware:
- - encoded on download, SHA256 267daeb2857ba1e05a6721bcaa99420ceeda8108cf6276b38707cc6bcc79a6c4, MD5 fef0805c912091d50991640da831ef81
- - decoded SHA256 87243b8832b685d6146c71c6558cfba59a761ecdd39d8d209968d44ea2fcecd7, MD5 79dc9200bdbeedeac2afb27ad8ff72fd
- - executed by "rundll32 %TEMP%\<filename>.552, asd"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement