Sponsored by..

Friday, 26 April 2013

"USPS delivery failure report" spam / LABEL-ID-56723547-GFK72.zip

This fake USPS message has a malicious attachment:

Date:      Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From:      USPS client manager Lelia Holden [reports@usps.com]
Subject:      USPS delivery failure report
Priority:      High Priority 1

Notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46.

The malicious binary has the following checksums:
MD5df81b21e9526c571d03bc1fb189f233c
SHA1dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a

Comodo CAMAS reports some very unusual behaviour around LDAP registry keys, not present in the Anubis report or ThreatExpert report.

Update: a rather more comprehensive ThreatTrack report can be found here [pdf].

3 comments:

Terri Ferguson said...

Sorry this isn't a comment on this particular notice - I am looking for some info on an email address and I don't know how else to communicate with you.
I have been getting subscription requests from this webpage

http://ymlp.com/subscribe.php?id=gjqmhqjgmgmghjubmhgquh

Can you tell me if it is something that I should be worrying about? I am running a scan at the moment for peace of mind - but the very strange address is panicking me a bit.
Many thanks
Terri

Conrad Longmore said...

@Terri, ymlp.com is an email tracking link. The link seems harmless, but just says "You have entered an invalid e-mail address.". URLquery shows people searching for similar string (see http://urlquery.net/report.php?id=2190607). Looks safe, but I can't explain it.

Terri Ferguson said...

Thanks very much Conrad, I appreciate your reply. Glad to hear nothing to worry about, but I started receiving this after the 'Russian hacker' ones stopped (eventually thank goodness - I was getting up to 60 a day), so I wonder if it is related?
Gotta love people with nothing better to do!! :-)