Jan 012014
 

A new spam run from what looks like the Bredo botnet. Email appears to come from some un-named company  and says We have got your order or We have obtained your order . No attachment in the email this time but a nice tempting link to click.

A few different emails circulating but all saying something similar to these. If you look fairly carefully at the contents of the email, you will see the terrible English grammar and spelling, which strongly show that they are created by a botnet who randomly add words and phrases from a long list and sometimes they just don’t work together.

Update 1 May 2014

New email run.

Hello Client

Our company has got your order and we will process it shortly.

You can find the bill of parcels and delivery details here http://www.basisradio.de/04-05-2014/billing/bl-901-036.zip

Goodbye,

Apex Acoustics Company

Aaron Derrick

Update 6 Feb 2014: we have been noticing these emails circulating again  for a few days now but all the links have been dead. Today we found a live site spewing out this malware.

Update 17 Feb 2014: A slight change to the format this morning with an email similar to this :

 Thank you for the order,

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 5735. Your credit card will be charged for 1217 dollars.

Information about the order and delivery located at: h t t p://w w w.dapaluda.it/Pay.zip?0sqKcG=<your name>@<yourdomain>

or

Buongiorno, <email address removed>.

Your request for review and possible expansion of your company.

Submitted!

Based on the request, gives you information about the proposals and recommendations.

http://amcg-associates.co.uk/Invoice/Invoice.zip

==

We work with you and for you!

Tel.: +44-6969579484.

0r

Dear User,

Sorry for the delay.

Promised to send you information:

ht t p://notebookservisru.161.com1.ru/Pay.zip?FpMX5jDAK=d<yourname>@<your domain>

or

The answer to your question about the profile on our website 10.02.2014  executed.
For details, see below for the link:  h tt p://bracewellfamily.com/Invoice.zip?Yu2bYGtOb6

We will be glad to cooperate in the future.

or

Dear customer,
Your order has been accepted.
Order id: 985750.
Terms of delivery and the date can be found with the auto-generated PDF file
located at:

http://gbrinkmann-bennewitz.privat.t-online.de/PayInfo.zip?qug0sDBl3MMBvAfxbcIX

==
Tel. / Fax.:  (751) 263 31 018.

21 Feb 2014: Another change in email messages

Hi,

Your request for review and possible expansion of your company.

Submitted!

Based on the request, gives you information about the proposals and recommendations.

http://mirandolasrl.it/inddex.html?Generate_to_client:submit@thespykiller.co.uk

==

Exact calculation!

Tel.: +44-7713899980.

or

Bill must be paid before the end of the week

http://nlconsulateorlandoorg.siteprotect.net/inddex.html

==

Tel.: +44 20 15919205.

idhash=904289652815

Subjects seen so far are:

  • see details of your invoice
  • see details of the invoice
  • See details of order
  • see details
  • processing of order
  • notice of order
  • notice of the order
  • notification
  • Customer Invoice Reminder
  • notification of the order
  • Notice of the invoice
  • Fwd: response.
  • Invoice 24307871.
  • Your order reference is 41085
  • response
  • Paid

====================================

Dear customer
We have obtained your order and it’ll be processed for 2 business days.
Find specification here:   http://3dteam.pro//account/df2341.zip
Bye
Joshua Forman

========================================================

Dear client
We have got your order and it’ll be processing soon.
You can find the bill of parcels here:

http://albullansa.com/customers/case.2013.0028563.zip

Goodbye,
Hector Page

==================================================

Hello customer
We have got your order and will be processing it soon.
The the invoice are below:

http://gaiacomunicazione.com/cases/cust.856341.zip

Good-bye
Camren Forman

=====================================================

Dear client
This is a notification that an bill of parcels has been produced on 29/12/2013. Your payment method is: credit card.
You can find specification of the invoice: http://yogang.cekuj.net/clients/2013.0028534.zip
Thanks and good luck
Jaxen Forman

================================================================

Hello, Customer
We have obtained your order and will be processing it for 2 days.
The the invoice are below:

http://graficad.net/users/contracts/735618467.zip

Good luck,
Gabriel Walter

======================================================================

Hello, Consumer
We have got your order and we will process it for 2 days. The order reference is 77260.
Your credit card will be charged for 664 dollars.
The specification are below:

http://bigasahorse2101.com/customers/cm.456-345.2013.zip

Goodbye
Alcoa Europe Company
Jaedon Abramson
============================================================

It is another one from the current botnet runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

There are various different attachment names with this run, but they contain the same malware. This particular set of malware doesn’t just spoof the pdf icon but also  adds a long space between the .pdf & the .exe so hoping that you will be fooled.

So far names include:

  • case.2013.0028563.zip
  • df2341.zip
  • cust.856341.zip
  • 2013.0028534.zip
  • acc.26538634.zip
  • 2014.23548688.zip
  • 735618467.zip<random numbers>
  • cm.456-345.2013.zip
  • Pay.zip
  • Order.zip
  • Invoice.zip
  • bl-901-036.zip

Attachment zip name: case.2013.0028563.zip Extracted file name: 028563.pdf___.exe Current Virus total detections: 6/47   |  MALWR Auto Analysis:

updated Malware Version 2 January 2014 Attachment zip name: acc.26538634.zip Extracted file name:  acc.26538634.pdf_____.exe Current Virus total detections: 0/45  with an incorrect statement that is probably is innocent    |  MALWR Auto Analysis:

updated Malware Version 5  January 2014 Attachment zip name: 2014.23548688.zip Extracted file name:  2014.23548688.pdf__.exe Current Virus total detections: 6/45     |  MALWR Auto Analysis:

23 Jan 2014    2358423652882.zip extracts to 2358423652882.pdf___exe  Current Virus total detections:  11/49

6 Feb 2014    cm.456-345.2013.zip extracts to cm.456-345.2013.PDF___.exe  Current Virus total detections:  6/51

17 Feb 2014    Pay.zip extracts to Pay.Pdf_____.exe  Current Virus total detections:  11/50

18 Feb 2014    Invoice.zip (197KB) extracts to Invoice.Pdf____.exe  Current Virus total detections:  3/50

18 Feb 2014    Invoice.zip (286KB) extracts to Invoice.Pdf____.exe  Current Virus total detections:  9/50

21 Feb 2014   index.zip (277kb) extracts to Index.Pdf___.exe    Current Virus total detections:  2/50

01 May  2014   bl-901-036.zip (28kb) extracts to bl-901-036.PDF_______.exe   Current Virus total detections:  6/52

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

 

  21 Responses to “We have got your order – fake PDF malware”

Comments (20) Pingbacks (1)
  1.  

    Betreff: your order details
    Hello, Client
    We have got your order and it’ll be processed for 2 days.
    You can find the order here:
    hxxp://www.alexandrosbodegraven.nl/users/case/b81498-2014.zip
    Thanks and good luck,
    Teodoro Nyman

    •  

      Thanks for that one
      the site appears to be down at the moment so I can’t check if it is a different version of the malware. Hopefully the hosts are cleaning it up and fixing any vulnerabilities that allowed the botnet to install malware on that site.

  2.  

    I’ve received this one

    Hello Client
    This is a notification that an invoice has been generated on 31/12/2013. Your payment method is: credit card.
    Find specification here:
    hxxp://www.alexandrosbodegraven.nl/users/customers/case.002327.zip
    Goodbye,
    Wilfried Marlow

    •  

      that server has been cleaned up now, so no need to post any more from alexandrosbodegraven.nl/ The website owners obviously know about it

  3.  

    Hello Customer
    We have obtained your order and it’ll be processed soon.
    The specification are below:
    hxxp://www.studioanderwien.at/users/account/16745788.zip
    Thanks and good luck
    Tom Larkins

    >> Link down but seems like it is the same sheme as above.

  4.  

    Dear Client
    We have got your order and it’ll be processing soon.
    The specification of the invoice are below:
    hxxp://emwcusa.com/customers/customer/bill04672-14.zip
    Thanks and good luck,
    Willi Austin

    Willi Austin

  5.  

    Just another example received on 7 January:

    Dear Customer
    We have got your order and it’ll be processed shortly.
    You can find details of the invoice:
    hxxp://emwcusa.com/customers/account/128456814645.zip
    Bye,
    Frederic Chapman

  6.  

    RECEIVED THIS WEEK:

    Dear Customer
    This is a notification that an bill of parcels has been generated on 21/01/14. Your payment method is: wire transfer.
    The details of the invoice are below:
    http://mccbe.be/2014/acc/gt456-345.2014.zip
    Later,
    Accounts Receivable Team

    •  

      Sorry, forgot to change the link…please dont click on it. Apologies, i tried amending it but cant…if admin can – thanks.

  7.  

    Hello, Client
    We have got your order and will be processing it for 3 business days.
    Find details of the order:
    http://tecmasolutions.com/2014/billing/cs2014-165731.zip
    Good luck,
    Account Management Department

  8.  

    I received this one (from gbrickner @ oakwoodveneer.com)

    Hello, Consumer
    We have obtained your order and we will process it for 2 business days. The order reference is 376461.
    Your credit card will be charged for 534 pounds.
    You can find the bill of parcels and delivery details by link:
    hxxp://dent-lux.com.pl/02-2014/bill/bl-901-036.zip
    Goodbye,
    Bearmach Company

    •  

      Hi Pendro,

      This is extremely disturbing as that is a very old email from years ago from our company. We sincerely apologize and will look into this issue immediately.

      Thank you,

      Oakwood Veneer.

      •  

        Hi Ezra, this botnet along with loads of other bots use emails, either taken at random from web pages or that have been stolen form an infected users email address book. Unfortunately there is very little that you can do. It is extremely unlikely that they have genuinely hacked your mail server to send the emails

  9.  

    Subject: Notice of order

    Dear Consumer
    We have obtained your order and it’ll be processed shortly. The order reference is 01667.
    Your credit card will be charged for 618 US dollars.
    Find details by link:
    http://alusistem.it/02-2014/bill/bl-901-036.zip
    Look forward to your answer,
    AEI Systems Company
    Landyn Page

  10.  

    Hello, Customer
    We have obtained your order and it’ll be processing for 2 days. The order reference is 97299.
    Your credit card will be charged for 378 dollars.
    Find details by link:
    hxxp://dent-lux.com.pl/02-2014/bill/bl-901-036.zip
    Sincerely yours,
    CA Design Services Company
    Brodie Gibbs

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>