Fake email “Thank you for your order!” from IKEA contains malicious Word file

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Thank you for your order!”.

This email is send from the spoofed address “DoNotReply@ikea.com” and has the following body:

Order acknowledgement:

To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015

Total cost:

Delivery date:

Delivery method:

We will confirm your delivery date by text,email or telephone within 72 hrs.

Order/Invoice number:

Order time:
8:31am GMT

Order/Invoice date:

Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy

This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.


Screenshot of the message:

The attached file IKEA receipt 607656390.doc is a 102 kB large Word document with malcious macro code that will download the payload.

The Word file is detected as LooksLike.Macro.Malware.gen!d3 (v),HEUR.VBA.Trojan, W97M/Downloader, W2KM_DRIDEX.XXH or Trojan:W97M/MaliciousMacro.GEN.

At the time of writing, 9 the 54 AV engines did detect the malicious Word file.

Use the Virus Total for more detailed information.
SHA256: 03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8

The macro will download the file d6f7g8.exe and his variants from the following locations:


The trojan is known as W32/Agent.XL.gen!Eldorado

At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 05f4aa3d5df39c403a51237a6762c062c079480d974de61a4424d3c2d0b26d95

3 thoughts on “Fake email “Thank you for your order!” from IKEA contains malicious Word file

Comments are closed.