Info From Fake PDF Malware


Info from pretending to come from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.

Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL ( given recent patterns, this is likely to be a Gameover production

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 18 March 2021 at 20:03:41.

Payment type: VAT

Customer reference no: 9789049470611

Card type: Visa Debit

Amount: 483.93 GBP

Your transaction reference number for this payment is IR19758383.

Please quote this reference number in any future communication regarding this payment.

Full information in attachment.

Yours sincerely,

Banking Operations

This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure. If it has reached you by mistake please contact the sender on 0845 302 1423 and delete the message immediately.


26 March 2021: (72kb) : Extracts to ATT00347_761105586544.pdf.exe Current Virus total detections: 7/51 MALWR Auto Analysis:

This Info from is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

Leave a Reply

Your email address will not be published.

Related Posts