another one from the current zbot runs which try to drop malware on your computer. This attachment appears to have an anti VM technology so automatic analysers don’t get any payload and crash part through analysing it, in an attempt to bypass anti-virus detections
Email content says:
|We attempted to deliver your item at 10:10 AM on Nov 28th, 2013.|
The delivery attempt failed because nobody was present at the shipping address, so this notify has been automatically sent.
If the parcel is not scheduled for redelivery or picked up within 72 hours, it will be returned to the sender.
Label Number: AB230BDA77
Expected Delivery Date: Oct 28th, 2013
Class: Package Services
Service(s): Delivery Confirmation
|Status: eNotification sent|
Current Virus total detections: 3/47 https://www.virustotal.com/en/file/a7061504af081dcd3e9357b5f929a946382bae0319432967e9eacaa404ba69f0/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/NTk0ZmY3YzM5YTA2NDQyM2JjMWFlZDA2YzBiZTk4NTc/
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a different file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. This one has a strange icon that looks like a gear and I have no idea what program it is supposed to imitate
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
Second DHL version out today with a smaller file size named DHL_Report_pdf_id<loads of numbers> with a standard .com/.exe icon
Current VirusTotal Detections: 3/48 https://www.virustotal.com/en/file/448cac2234963324d3781130017eb46ba4d05d137677d51cf4bdd9a968e1ef7a/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/NzIwMzFmYTVkMDgwNGJlYzljYjYzMjU5ZDE0OTQxNjA/
It looks from the analysis that the malware that wouldn’t run properly in the first email has been quickly fixed so it runs now