BPAY Secure Document Leads to Malware

A new spam email is doing the rounds, this time bypassing spam filters for several of my email addresses. As per most of these malicious emails, it contains correct logos and appears to come from an official looking email address.

This email claims to be from BPAY. It goes on to advise the recipient that they have received a BPAY payment. The recipient is then required to open the attached “BPAY Secure Document” in order to view the details of said payment.

Upon opening the attachment, the recipient will be prompted to enable content; which in turn will runs a malicious macro.

BPAY Secure Document

The macro downloads and executes another file; htqpu.exe. Analysis of this file indicates a possible link to Trickbot malware. Trickbot, also known as TrickLoader, is a banking Trojan, designed to target credentials for financial institutions.

If you receive any attachment that requires you to enable macros, I recommend deleting the file right away.

Scams can also be reported to ScamWatch via their website.