Fake email from booking.com in Dutch with attached invoice confirmation contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “factuur bevestiging” from the spoofed email address “”booking.com” <booking.payment@booking.com>” and the following body:

Tav: Geachte klant

Wij schrijven deze brief aan uw aandacht vestigen op de onderstaande referentie achterstallige items met ons

Rappel aan de Klant
Due Date: 2014/12/01
FACTUUR-9837461039847
Verschuldigde bedrag: Ђ287,00

Vind hechten uw factuur voor de eerste betaling.

We waarderen uw inspanningen om ervoor te zorgen dat de betaling is ontvangen in een geschikte kwestie. Houdt u er rekening mee dat er een Ђ100 heraansluiting kosten in rekening worden gebracht als uw account is opgeschort vanwege betalingsachterstanden.

Thorpe K. Carlson
Billing Manager

Copyright © 19962014 Booking.com. Alle rechten voorbehouden.
Deze e-mail werd verzonden door Booking.com, Herengracht 597, 1017 CE Amsterdam, Nederland

The email contains two attached files: e-Ticket confirmation.pif and Invoice76453773.doc.

The first attached file e-Ticket confirmation.pif contains the trojan that is know as: Heur.Win32.Veebee.1!O , Trojan.Dorkbot.ED or Trojan-FEAX!1B85EC2BD216. At the time of writing, 5 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 8c6f520c42acab9df6ad3ca59e12c99f4f259650faaa12a3e5139b3845560bce.

The other attached file has the name Invoice76453773.doc. When openend, it will use Macro’s. When processed by Virus Total, 2 of the 51 AV engines did detect the malware named TrojanDownloader:O97M/Bogavert.A or Troj/DocDl-C.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 5be3ef36567271299d658529b889bdb8c83f07b6bc6ff4bd2a92ccfbce15c781

 

 

2 thoughts on “Fake email from booking.com in Dutch with attached invoice confirmation contains trojan

  1. We have to be more careful when opening suspicious emails. I saw this one and i never open attachments that come from unknown source.

Comments are closed.