Sponsored by..

Tuesday 26 March 2013

DHL Spam / LABEL-ID-NY26032013-GFK73.zip

This DHL-themed spam contains a malicious attachment.

Date:      Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From:      Bart Whitt - DHL regional manager [reports@dhl.com]
Subject:      DHL delivery report NY20032013-GFK73
   
Web Version  |  Update preferences  |  Unsubscribe
       

DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global
   
       
Edit your subscription | Unsubscribe

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).

VirusTotal detections for this malware are low (7/46). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.

Update:  Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here.

1 comment:

MB said...
This comment has been removed by the author.