NO MALWARE

A new spam run from what looks like the Bredo botnet. Email appears to come from some un-named company  and says We have got your order or We have obtained your order . No attachment in the email this time but a nice tempting link to click.

A few different emails circulating but all saying something similar to these. If you look fairly carefully at the contents of the email, you will see the terrible English grammar and spelling, which strongly show that they are created by a botnet who randomly add words and phrases from a long list and sometimes they just don’t work together.

Update 1 May 2014

New email run.

Hello Client

Our company has got your order and we will process it shortly.

You can find the bill of parcels and delivery details here http://www.basisradio.de/04-05-2014/billing/bl-901-036.zip

Goodbye,

Apex Acoustics Company

Aaron Derrick

Update 6 Feb 2014: we have been noticing these emails circulating again  for a few days now but all the links have been dead. Today we found a live site spewing out this malware.

Update 17 Feb 2014: A slight change to the format this morning with an email similar to this :

 Thank you for the order,

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 5735. Your credit card will be charged for 1217 dollars.

Information about the order and delivery located at: h t t p://w w w.dapaluda.it/Pay.zip?0sqKcG=<your name>@<yourdomain>

or

Buongiorno, <email address removed>.

Your request for review and possible expansion of your company.

Submitted!

Based on the request, gives you information about the proposals and recommendations.

http://amcg-associates.co.uk/Invoice/Invoice.zip

==

We work with you and for you!

Tel.: +44-6969579484.

0r

Dear User,

Sorry for the delay.

Promised to send you information:

ht t p://notebookservisru.161.com1.ru/Pay.zip?FpMX5jDAK=d<yourname>@<your domain>

or

The answer to your question about the profile on our website 10.02.2014  executed.
For details, see below for the link:  h tt p://bracewellfamily.com/Invoice.zip?Yu2bYGtOb6

We will be glad to cooperate in the future.

or

Dear customer,
Your order has been accepted.
Order id: 985750.
Terms of delivery and the date can be found with the auto-generated PDF file
located at:
http://gbrinkmann-bennewitz.privat.t-online.de/PayInfo.zip?qug0sDBl3MMBvAfxbcIX

==
Tel. / Fax.:  (751) 263 31 018.

21 Feb 2014: Another change in email messages

Hi,

Your request for review and possible expansion of your company.

Submitted!

Based on the request, gives you information about the proposals and recommendations.

http://mirandolasrl.it/inddex.html?Generate_to_client:submit@thespykiller.co.uk

==

Exact calculation!

Tel.: +44-7713899980.

or

Bill must be paid before the end of the week

http://nlconsulateorlandoorg.siteprotect.net/inddex.html

==

Tel.: +44 20 15919205.

idhash=904289652815

Subjects seen so far are:

  • see details of your invoice
  • see details of the invoice
  • See details of order
  • see details
  • processing of order
  • notice of order
  • notice of the order
  • notification
  • Customer Invoice Reminder
  • notification of the order
  • Notice of the invoice
  • Fwd: response.
  • Invoice 24307871.
  • Your order reference is 41085
  • response
  • Paid

====================================

Dear customer
We have obtained your order and it’ll be processed for 2 business days.
Find specification here:   http://3dteam.pro//account/df2341.zip
Bye
Joshua Forman

========================================================

Dear client
We have got your order and it’ll be processing soon.
You can find the bill of parcels here:
http://albullansa.com/customers/case.2013.0028563.zip
Goodbye,
Hector Page

==================================================

Hello customer
We have got your order and will be processing it soon.
The the invoice are below:
http://gaiacomunicazione.com/cases/cust.856341.zip
Good-bye
Camren Forman

=====================================================

Dear client
This is a notification that an bill of parcels has been produced on 29/12/2013. Your payment method is: credit card.
You can find specification of the invoice: http://yogang.cekuj.net/clients/2013.0028534.zip
Thanks and good luck
Jaxen Forman

================================================================

Hello, Customer
We have obtained your order and will be processing it for 2 days.
The the invoice are below:
http://graficad.net/users/contracts/735618467.zip
Good luck,
Gabriel Walter

======================================================================

Hello, Consumer
We have got your order and we will process it for 2 days. The order reference is 77260.
Your credit card will be charged for 664 dollars.
The specification are below:
http://bigasahorse2101.com/customers/cm.456-345.2013.zip
Goodbye
Alcoa Europe Company
Jaedon Abramson
============================================================

It is another one from the current botnet runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

There are various different attachment names with this run, but they contain the same malware. This particular set of malware doesn’t just spoof the pdf icon but also  adds a long space between the .pdf & the .exe so hoping that you will be fooled.

So far names include:

  • case.2013.0028563.zip
  • df2341.zip
  • cust.856341.zip
  • 2013.0028534.zip
  • acc.26538634.zip
  • 2014.23548688.zip
  • 735618467.zip<random numbers>
  • cm.456-345.2013.zip
  • Pay.zip
  • Order.zip
  • Invoice.zip
  • bl-901-036.zip

Attachment zip name: case.2013.0028563.zip Extracted file name: 028563.pdf___.exe Current Virus total detections: 6/47   |  MALWR Auto Analysis:

updated Malware Version 2 January 2014 Attachment zip name: acc.26538634.zip Extracted file name:  acc.26538634.pdf_____.exe Current Virus total detections: 0/45  with an incorrect statement that is probably is innocent    |  MALWR Auto Analysis:

updated Malware Version 5  January 2014 Attachment zip name: 2014.23548688.zip Extracted file name:  2014.23548688.pdf__.exe Current Virus total detections: 6/45     |  MALWR Auto Analysis:

23 Jan 2014    2358423652882.zip extracts to 2358423652882.pdf___exe  Current Virus total detections:  11/49

6 Feb 2014    cm.456-345.2013.zip extracts to cm.456-345.2013.PDF___.exe  Current Virus total detections:  6/51

17 Feb 2014    Pay.zip extracts to Pay.Pdf_____.exe  Current Virus total detections:  11/50

18 Feb 2014    Invoice.zip (197KB) extracts to Invoice.Pdf____.exe  Current Virus total detections:  3/50

18 Feb 2014    Invoice.zip (286KB) extracts to Invoice.Pdf____.exe  Current Virus total detections:  9/50

21 Feb 2014   index.zip (277kb) extracts to Index.Pdf___.exe    Current Virus total detections:  2/50

01 May  2014   bl-901-036.zip (28kb) extracts to bl-901-036.PDF_______.exe   Current Virus total detections:  6/52

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

 

Leave a Reply

20 Comments on "We have got your order – fake PDF malware"

Notify of
avatar
10000

Sort by:   newest | oldest | most voted
Christian Rosin
Guest
Christian Rosin
5 January 2014 10:41 am 10:41 am

Betreff: your order details
Hello, Client
We have got your order and it’ll be processed for 2 days.
You can find the order here:
hxxp://www.alexandrosbodegraven.nl/users/case/b81498-2014.zip
Thanks and good luck,
Teodoro Nyman

Yago
Guest
Yago
5 January 2014 7:49 pm 7:49 pm

I’ve received this one

Hello Client
This is a notification that an invoice has been generated on 31/12/2013. Your payment method is: credit card.
Find specification here:
hxxp://www.alexandrosbodegraven.nl/users/customers/case.002327.zip
Goodbye,
Wilfried Marlow

Unkn0wn
Guest
Unkn0wn
6 January 2014 2:31 am 2:31 am

Hello Customer
We have obtained your order and it’ll be processed soon.
The specification are below:
hxxp://www.studioanderwien.at/users/account/16745788.zip
Thanks and good luck
Tom Larkins

>> Link down but seems like it is the same sheme as above.

Mike
Guest
Mike
7 January 2014 7:06 pm 7:06 pm

Dear Client
We have got your order and it’ll be processing soon.
The specification of the invoice are below:
hxxp://emwcusa.com/customers/customer/bill04672-14.zip
Thanks and good luck,
Willi Austin

Willi Austin

José Ferreira Leite
Guest
José Ferreira Leite
8 January 2014 10:33 am 10:33 am

Just another example received on 7 January:

Dear Customer
We have got your order and it’ll be processed shortly.
You can find details of the invoice:
hxxp://emwcusa.com/customers/account/128456814645.zip
Bye,
Frederic Chapman

MARK
Guest
MARK
23 January 2014 4:20 pm 4:20 pm

RECEIVED THIS WEEK:

Dear Customer
This is a notification that an bill of parcels has been generated on 21/01/14. Your payment method is: wire transfer.
The details of the invoice are below:
http://mccbe.be/2014/acc/gt456-345.2014.zip
Later,
Accounts Receivable Team

MARK
Guest
MARK
23 January 2014 4:21 pm 4:21 pm

Sorry, forgot to change the link…please dont click on it. Apologies, i tried amending it but cant…if admin can – thanks.

mos
Guest
mos
23 January 2014 6:28 pm 6:28 pm

Hello, Client
We have got your order and will be processing it for 3 business days.
Find details of the order:
http://tecmasolutions.com/2014/billing/cs2014-165731.zip
Good luck,
Account Management Department

Pendro
Guest
Pendro
12 February 2014 1:18 am 1:18 am

I received this one (from gbrickner @ oakwoodveneer.com)

Hello, Consumer
We have obtained your order and we will process it for 2 business days. The order reference is 376461.
Your credit card will be charged for 534 pounds.
You can find the bill of parcels and delivery details by link:
hxxp://dent-lux.com.pl/02-2014/bill/bl-901-036.zip
Goodbye,
Bearmach Company

Ezra
Guest
12 February 2014 7:34 pm 7:34 pm

Hi Pendro,

This is extremely disturbing as that is a very old email from years ago from our company. We sincerely apologize and will look into this issue immediately.

Thank you,

Oakwood Veneer.

bob
Guest
bob
12 February 2014 2:50 am 2:50 am

Subject: Notice of order

Dear Consumer
We have obtained your order and it’ll be processed shortly. The order reference is 01667.
Your credit card will be charged for 618 US dollars.
Find details by link:
http://alusistem.it/02-2014/bill/bl-901-036.zip
Look forward to your answer,
AEI Systems Company
Landyn Page

heman@web.com
Guest
heman@web.com
12 February 2014 4:42 pm 4:42 pm

Hello, Customer
We have obtained your order and it’ll be processing for 2 days. The order reference is 97299.
Your credit card will be charged for 378 dollars.
Find details by link:
hxxp://dent-lux.com.pl/02-2014/bill/bl-901-036.zip
Sincerely yours,
CA Design Services Company
Brodie Gibbs

Clo
Guest
Clo
12 February 2014 6:31 pm 6:31 pm

Hello Customer
We have got your order and we will process it for 2 days. The order reference is 65977.
Your credit card will be charged for 769 US dollars.
Find specification of the invoice and delivery details:

hxxp://www.studiobertacca.it/02-2014/bill/bl-901-036.zip
Regards,
Blue Helix Company
Michael Forman

wpDiscuz