Contrat Commercant N: 9579514 – Fake PDF Malware


Contrat Commercant N: 9579514 pretending to come from Rick Goddard [] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

This is written entirely in French so should alert the majority of English speaking recipients that there is a problem.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

Email looks like :


Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..

Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.

Pour eviter automatiquement resilie accorder 2 minutes au service Credit Agricole en remplissant le formulaire ci-joint.

Rick Goddard

Vos appels sont enregistres pour un meilleur service client / Your calls are recorded for a better customer service

Assistant Commercial | Agence des Grands Clients | Credit Agricole

103 avenue des Champs-Elysées 75008 PARIS


Phone +33 158805302

Fax +33 140975310




Protect our environment – please only print this if you have to!

Ensemble adoptons des gestes responsables : N’imprimez ce mail que si necessaire. Les informations contenues dans ce message et les pieces jointes (ci-apres denomme le message) sont confidentielles et peuvent etre couvertes par le secret professionnel. Si vous n’etes pas le destinataire de ce message, il vous est interdit de le copier, de le faire suivre, de le divulguer ou d’en utiliser tout ou partie. Si vous avez recu ce message par erreur, nous vous remercions de le supprimer de votre systeme, ainsi que toutes ses copies, et d’en avertir immediatement Credit Agricole et ses filiales par message de retour. Il est impossible de garantir que les communications par messagerie electronique arrivent en temps utile, sont securisees ou denuees de toute erreur, alteration, falsification ou virus. En consequence, Credit Agricole et ses filiales declinent toute responsabilite du fait des erreurs, alterations, falsifications ou omissions qui pourraient en resulter. Consider the environment before printing this mail. The information contained in this e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message by error, please delete it and all copies from your system and notify the sender immediately by return e-mail. E-mail communications cannot be guaranteed to be timely secure, error or virus-free. The sender does not accept liability for any errors or omissions which arise as a result.

21 May 2014: ( 8kb) Extracts to Contrat_210514.scr Current Virus total detections: 0/52 MALWR Auto Analysis:

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

Leave a Reply

Your email address will not be published.

Related Posts