Note the emails that pretend to be STU ERGO Hestia and Tomfis accounting office

This morning we received from our reader Konrad two messages that were delivered to him from the same IP address that connects to the mail server of two different entities. The fraudster with alleged invoices tries to impersonate the insurance company STU ERGO Hestia SA and the accounting office "Tomfis":

Spam poduwający under STU Ergo Hestia

Dear Customer,

in the attachment we send correspondence regarding the return of the surplus.

Therefore, we ask you to submit an order specifying the form of payment enabling its return.

The fastest form of refund implementation is a bank transfer, so we encourage you to indicate the number of the bank account to which the transfer will be made.

The order can be submitted by phone by contacting the Ergo Hestia Infoline (available 24 hours on 801 107 107).


Paweł Kolasa

STU Ergo Hestia SA

And the second message:

Spam under the accounting office


in the attachment I am sending copies of payments for June taxes.

Accounting Office "Tomfis"

Artur Kalemba

ul. Tatrzańska 2

62-800 Kalisz

In one of the attachments there is a file FV_2045.vbs impersonating the invoice in a very primitive way. Its launch triggers the wscript.exe system process for running script files - it connects to the TCP/ , but does not download any additional content. So it is an unsuccessful attempt to create a downloader (which is unlikely) or to identify victims before a larger campaign, and therefore we recommend caution when opening this type of suspicious invoices and installing reputable antivirus software.

We could not check the attachment on the second message because the file was blocked at the mail server provider level by anti-virus scanning, so the recipient has secured the content.

The message masquerading as an accounting office is sent from server: ([]: 55503) 

The message masquerading under STU Ergo Hestia is sent from the server:

rod-zimbra-app01.hestia.polska ([]) 

The spammer connects to the above mail servers from the following address:


Attachment hook after unpacking (the attachment from the second message has been blocked by anti-spam integrated with the mail server):


Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.