This morning’s first Trickbot banking Trojan campaign comes in an email with varying subjects including

  • paper
  • doc
  • scan
  • invoice
  • documents
  • Scanned Document
  • receipt
  • order

They are all coming from random girls’ names at random email addresses

There is a zip attachment containing a VBS file

couple of examples:

Download sites found so far are listed on Thanks to Racco42 Beware for some reason the Pastebin link is giving me diverts to a scumware site trying to download a fake Flashplayer hta file ( VirusTotal) ( Payload Security)

which downloads ( VirusTotal) ( Payload Security)

It must be an advert on Pastebin, but I don’t know which one. I had just left Pastebin open in the background while I was preparing this post and it keeps trying to divert to the scumware site. It doesn’t happen as soon as you visit, only after a couple of minutes