Home Malware ‘Attached Tracker For Your Records’ Macro Malware Emails

‘Attached Tracker For Your Records’ Macro Malware Emails

by Brett M. Christensen

‘Urgent’ emails purporting to be from various companies claim that you can open an attached file to find a ‘tracker for your records’.

Brief Analysis:
The emails were not sent by the companies they name and the attachment does not contain a ‘tracker’.  Instead, the attached Microsoft Word document contains a malicious macro that, if enabled, can download and install malware that can steal personal information such as Internet banking passwords.

Subject: Urgent: F590483 LITEBULB GROUP LTD/ HPE

Please find the attached tracker for your records.
Gaylord Sargent
2819 I Street, NW, Suite 300 Washington D.C. 51845
O: (556) 165 2527 | F: (228) 379 0259
ISO9001:2008 | li4160 Rev C | 2CF-E11-240 | Core QPL | QAM-001, Sec. 5.3
This email may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations (22 C.F.R. Parts 120 – 130) or the Export Administration Regulations (15 C.F.R. Parts 730 – 774).
Export controlled information, in any form, shall not be disclosed to a foreign person whether in the United States or abroad (including foreign persons employed in the U.S.) without authorization under the applicable U.S. Government export control regulations and the express written authorization of STRAN Technologies. This document may contain STRAN Technologies’ Proprietary Information and is to be used only for the purposes for which it has been supplied and is not to be duplicated or disclosed in whole or in part without written permission from a duly authorized representative of STRAN Technologies. If you feel you have received this email in error, please contact the sender at (556) 165 2527.

Attached Tracker Malware Email
Attached Tracker Malware Email

Detailed Analysis:
These emails, which are marked as ‘Urgent’, suggest rather obscurely that you can find a ‘tracker for your records’ in an attached file. The emails include the name and address of the company that supposedly sent them along with an apparent legal clause suggesting that the messages ‘may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations or the Export Administration Regulations’.  Several companies are named in different versions of the emails.  Other details, including the reference number in the subject line and the name of the attachment may also vary. The attachments are  .doc or .rtf files that can be opened in Microsoft Word.

However, while the named companies are real, they did not send the emails. And the attachments do not contain a tracker for your records.

If you attempt to open one of the attachments using Microsoft Word, you will be prompted to enable macros, ostensibly so that the contents of the document can be correctly displayed. If you enable macros as requested, a malicious macro will then run. The macro can download and install a version of the Dridex trojan. Once installed, this trojan can harvest banking credentials by harvesting information entered during online banking sessions.

A macro is a set of commands and instructions that can be grouped as a single command in order to quickly and automatically accomplish a task.

Macros can help create more efficient workflows by automating some tasks. But, macros can also be used with malicious intent.  In the past, macro viruses were common computer security threats. Later versions of Microsoft Office disabled macros by default, thereby significantly decreasing the threat posed by macro viruses. But, criminals are again using macros, this time by using simple social engineering to trick users into enabling them.

It is wise to leave macros disabled if you do not use them and and are unfamiliar with their potential security risks. And, do not believe any message that claims that you must enable macros in order to view a document.

Last updated: March 23, 2016
First published: March 23, 2016
By Brett M. Christensen
About Hoax-Slayer

New malware: Urgent: F590483 LITEBULB GROUP LTD/ HPE
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,