Comments

Invoice 951266 – fake PDF malware — 61 Comments

  1. I just got sent this and opened it by my computer wouldn’t support opening the PDF. Does this mean my computer is or isn’t infected? Is there anything I can do to protect it?

  2. Hi Guys

    I had one of these this morning but it didn’t have an attachment,( it said it did, but didn’t ) so can I assume I’m fine as I didn’t open anything other than the email?

  3. Hello, I received this email this morning – I opened the attached zip file, then the folder, but didn’t open the .exe file inside. Is it only a problem if you open this file? I am on a mac. Many thanks for your help in advance.

    • I called our IT team after my mistake this morning – luckily macs find it very difficult to open these folders so you’re very unlikely to have a problem – he double checked my computer for me and all was well. So I wouldn’t worry

  4. I have also had this 3 to 4 times today. There are also a lot going round that state you have to attend a court date and to open the attached document. I always respond to the e mail to see if it comes back as delivery failure which then tells you its spam.

  5. Three clues to a fake – no name just ‘hello’, why would a company ask for a payment ‘date’?, and a list of nine addresses all to ‘@avnet’ and in alphabetical order.

  6. A search on recent suspicious emails led me to this. Just to let you know, the ones we got were indeed PDFs, not exe’s. PDFs run without appropriate protections can be viable attack vectors. Everything else about it other than the month matched your description.

    • You should be fine on an Iphone. The malware is windows specific malware only at this time. That isn’t to say that a Cross browser or cross OS version will not be released
      I have seen a few malware that will run on both windows & Linux but they are normally Java based malware . that runs inside the java system. At this time, I do not know if any malware that runs on Iphone natively, although there are various malwares that cause pop up windows or injected adverts in an IPhone/Ipad browser window

  7. Hi
    I too got this email, and stupidly opened the PDF? Adobe Reader program opened and said the file could not be opened. I have run spybot and mcafee and both have not shown any malware. Does this mean i have not been infected or is there a better program to use to check?

    • It depends on which version of Adobe reader you have installed, whether you might have been infected by this. If you have 11.0.4 or newer and hopefully you have 11.0.6 which is the latest version, then in all probability you are safe as this exploit should not be able to run in those versions . Spybot is a waste of time with malware like this and an antivirus is needed, but your Mcafee might not have detections for it yet. although it should be detecting this with its generic heuristic detections
      The best thing to do is run a full scan with Mcafee and if it comes clean then seek help on http://forums.techguy.org/54-virus-other-malware-removal/ where they can run a few scans & see if any obvious malware was dropped on the computer

      • Thanks
        Everything is up to date on my PC. Adobe has 11.0.6 installed.
        I have run another full mcafee check (with their latest updates) and nothing has been found. I will check out the forum and see if they find anything.
        The PC is on a small network with 3 other pc’s (I have now unplugged it from the network and internet) could any of these pcs been infected?
        Thanks for your advice
        Jim

        • If you have 11.0.6 Adobe version then you should be safe. So far the analysis haven’t shown it transferring over a network, but many of these malwares do just sit and wait for several hours before attempting a network connection or downloading any other malware.

  8. Oh no! Im on macbook air and opened email from Sue Mockridge , titled Invoice 714333 April . Then clicked on ‘quick look’ on mac mail to see attachment before closing it. I have adobe reader 11.0.06. But Im sure the ‘quick look’ functionality is all in mac mail no?

    Anyway I have since discovered 2 payments from my personal bank account to a paypal account totalling around 500 pounds today that i didnt authorise.

    The bank now knows. What else should I be checking? Can this have gotten other info, logins etc? how do i get rid of it?

    I am a small business owner so Im terrified they will make payments from that account.

    Any help appreciated.

    Sam

  9. Thank you for all this information – I got one of these while my machine was being checked over because of conflict between two antivirus products on my machine.

    Short answer there, Spybot consigned to the ether despite having only just bought it – free Macafee went the same way and am now on Kaspersky where I should have been in the first place.

    The email is disinfected with [Spam] trigger in the heading but I felt there was something dodgy. Never heard of these people, certainly did not buy anything and the associated emails in the address list hello, why would I buy from a company that published my email in a string and an outstanding invoice.

    So before deleting I looked up the company on Google because they were going to get a call tomorrow either to tell them they were sending out dodgy emails and in any event to remove me from their records or else and I came across you.

    I didn’t even notice the attachments.

    So thank you very much am now going to go and delete the lot from email and deleted folder.

  10. Opened by mistake yesterday and today I have some orders coming to my address and paypal has been hacked. The bastard got a brand new Samsung S5….

  11. I stupidly opened the pdf attached to the email using Nuance pdf reader.
    Nuance reported an unexpected operation from the pdf and stopped opening it.
    I ran a full scan using microsoft security essentials and it didn’t detect any unwanted items.
    Does this mean I’m safe?
    Thanks

    • I cannot guarantee that you will be safe. You will need to keep an eye on any online financial transactions and scan again tomorrow with MSE. It is very possible that new unknown malware was dropped and MSE doesn’t yet recognize it. The exploits they seem to be using are likely to affect all PDF readers and not just adobe. Just because Nuance alerted you doesn’t mean that the malicious actions hadn’t already been carried out

      • Thanks for the reply.
        I’ve run a new full scan and it found Exploit:JS/Pdfjsc.AU but nothing else.
        Hopefully I’ll be alright.

  12. Hi

    I have had a nightmare with these email.

    You do not even have to open them now!

    i’m using the email program Zimbra and AVG for my protection.

    As soon as the email comes in, AVG flags it up, so it is doing its job. But even with the emails getting deleted and AVG removing the threat, the Trojan Horse seem to be attached its self to my email program only as my computer scan is clean. So i delete Zimbra and reinstall and it is still there. So clean registry and reinstall but still coming up as soon as I open the Zimbra program. I ended up just deleting Zimbra and installing new program.
    But now it has come up on another one of my PCs and i wondered if there was an easier way to deal with this

    Very amature at this so any ideas welcome

  13. Like a dummy I tried to open this email from my iMac. Is there anyway to tell if I was infected? Based on the thread I’m reading it seems unlikely this would effect a Mac, but need to make sure. Thank you!!

    • I have not heard of it affecting an iMac. You can never be 100% guaranteed that the version you opened wasn’t a new version that might be able to affect Mac software, but it is unlikely

  14. Thanks! I’ll do some more research, but your reply is a comforting start. Is virus protection software recommended or even needed for a Mac?

  15. I stupidly tried to open the attachment on my Kindle…it wasn’t able to without downloading new software which I refused. Am I likely to be infected?

    • You shouldn’t be infected on a Kindle. This malware and most currently spreading malwares are designed to infect & run on Windows systems. However we are seeing some that also has a MAC specific file that will ruin on Macs and infect the MAC user account

      Android so far, is fairly safe from these, but how long that will last is anybody’s guess.

  16. It looks like there’s another massive spam run in process today.

    The sad thing is that Broad Oak’s online reputation is getting completely trashed, especially in the Google Reviews, when it’s nothing at all to do with them.

  17. I’ve had this today on my personal email but the company I work for actually sell to Broadoak so have forwarded to my MD to warn all employees in case it comes through our business email!!

  18. I received the same email from Sue Mockridge in my junk box and stupidly opened it and opened the PDF file on my iPad. I’m now very worried. How can I tell if it’s affected my iPad? Is it safe to log onto online banking etc? My iPad is my lifeline really as I’ve no PC, Laptop etc. Some advice needed please. Thanks

  19. Hi,

    I stupidly opened this email on my iPhone and laptop, as it went to my university account and I thought it was important. My internet now lags on both devices, and many web pages won’t open. Clicked on your link to tech support guy but couldn’t find any help on there. Please help!

  20. I have lots of returned mail with this invoice virus coming from our web address, albeit an address I have never used (invoice@wurlitza.co.uk). However I have never to my knowledge opened the invoice file (though I have had lots of them). What is the procedure? The places they are being returned from are not addresses in our address books. I’ve been running AVG to check for threats, and all our emails go through AVG.

  21. I just recieved this spam email twice today, my spam filter did not detect it but I thought is was suspect and googled the details and found this article, so thanks I have deleted the emails

  22. I got an email yesterday purporting to be from Vodafone (Billing Dept) saying (in German) that my latest bill was attached
    as a pdf. The attachment title was 12.11.2014_Rechnung_Kundennr_7149988.pdf. As I was logged on to the wifi of some German friends at the time I stupidly thought that maybe their email had somehow been mistakenly diverted to my iPad, and tried to open the attachment (as I was under the impression that a) iPads etc could not be infected by malware and b) pdfs could not be dangerous). When a blank screen appeared I got a bit suspicious and closed it, deleted the email (after taking a screen-shot of it) and looked online for information. It looks as though this is another version of the pdf malware that is the subject of this thread, so be aware! Is there any way I can tell if my iPad has been compromised, and would my iPod Touch automatically be similarly affected? I also have a desktop PC running Windows 7, but have as yet not connected my iPad to it via USB. Any information, advice etc would be greatly appreciated.

    • As far as I know an Ipad cannot be infected by this. Yes an Ipad can open PDFs but any malicious macro type code inside the PDF will not run on an IPad and won’t download or run the windows specific malware

  23. Thanks for that. Is there any danger that my Windows PC could be affected when I sync my iPad via USB? BTW, I forgot to mention that I am still using iOS 6.1.3 as I did not want to upgrade to iOS 7 and beyond. Could that be a problem now?

    • Using any older version of software, especially an OS always carries an increased risk. I don’t think there is any risk with this particular malware to your version of IOS, but there are IOS specific exploits that will almost certainly affect that OS that are always spreading .
      There shouldn’t be any risk in syncing Ipad with windows provided you don’t attempt to open the pdf ( if it is synced to your windows PC). Provided you have deleted the email & any attachment from Ipad before plugging into windows there is absolutely no risk

Leave a Reply

Your email address will not be published. Required fields are marked *