Outline:
Email with the subject line ‘Your Latest Documents from Angel Springs’ claims that you should open an attached Microsoft Word file to review billing documents.
Brief Analysis:
The email is not from UK based water cooler provider Angel Springs and the attached file does not contain billing documents. The attached Word document contains a malicious macro that can download and install malware.
Subject: Your Latest Documents from Angel Springs Ltd [STA054C]
Dear Customer,Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
Here’s a few ways we’ve made it easier for you:
Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents.
Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.
You can simply and easily raise any queries you may have through the customer portal.
You can also connect to our E-Billing solution to access other relevant documents by clicking on the following link; Single Click Login
Detailed below are your latest documents.
Account Number
Date
Invoice Number
Document Type
STA054C
31-Mar-2016
3027769
Invoice
Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.
If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on [number removed] and we will be more than happy to assist you. Please do not reply to this email.
To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document
With Kind Regards,
Angel Springs Ltd
Detailed Analysis:
According to this email, which has the subject line ‘Your Latest Documents from Angel Springs Ltd’, you can review your latest Angel Springs billing documents by opening an attached file. The email claims that Angel Springs has upgraded its billing systems so that new billing documents can be viewed by opening an attachment rather than by clicking a link. The email includes the Angel Springs logo and a table with details about the supposed document and an attached file in Microsoft Word (.docm) format.
Angel Springs is a real company that supplies water coolers in the UK. However, Angel Springs did not send this email and the attachment does not contain billing documents.
Instead, the attached document contains a malicious macro that can fetch and install other types of malware.
If you open the attached Word file, you will be prompted to enable macros, ostensibly so that the contents of the file can be correctly displayed. However, if you do enable macros, a malicious macro will then run. Without you realising, the macro will connect to a website and download and install malware on your computer. The exact nature of this malware may vary. The malware may be Locky ransomware or it may be a trojan that can steal sensitive information such as banking login details.
Details such as the supposed reference number in the subject line and dates, account numbers, and invoice numbers in the message body may vary in different versions of the email.
The email uses address spoofing to make it appear that it really was sent by Angel Springs. Keep in mind that Angel Springs is an innocent victim of the criminals who created this malware campaign and has done nothing wrong.
You can read more details about macro malware threats here.
Last updated: April 8, 2016
First published: April 8, 2016
By Brett M. Christensen
About Hoax-Slayer
References
Malware spam: “Your Latest Documents from Angel Springs Ltd [1F101177]”
Malware Threat Articles
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Original Source : https://www.hoax-slayer.net/your-latest-documents-from-angel-springs-macro-malware-email/