Sponsored by..

Friday, 7 June 2013

"PAYVE - Remit file" spam / CD0607213.389710762910.zip

This fake American Express Payment Network spam has a malicious attachment.

Date:      Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
Subject:      PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment
The remittance details for the payment(s) are attached (CD06072013.389710762910.zip).

   -   The remittance file contains invoice information passed by your buyer. Please
contact your buyer
       for additional information not available in the file.

   -   The funds associated with this payment will be deposited into your bank account
according to the
       terms of your American Express merchant agreement and may be combined with other
American Express deposits.
       For additional information about Deposits, Fees, or your American Express merchant
       Contact American Express Merchant Services at 1-800-528-0265 Monday to Friday,
8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
      If you are not enrolled in My Merchant Account/OMS, you can do so at
      or call us at 1-866-220-3581, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
      For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
      and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:

"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46 anti-virus scanners detect it.

The Comodo CAMAS report gives some details about the malware, including the following checksums:


The malware attempts to download further components from storeyourbox.com on (Linode, US) which looks like a legitimate server that has been badly compromised. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:


Update: the ThreatExpert report took a long time to process, but is quit interesting. It shows DNS queries for:

The following URLs are accessed:

archeting.it and errezeta.biz are hosted on IPs belonging to Aruba S.p.A. in Italy ( and respectively). I've long suspected that there's a serious problem with Aruba due to a very high incidence of malware sites. Those are shared hosting IPs and as far as I can tell the rest of the sites on those servers are clean. and (Telmex, Colombia and Register.com US) have been seen before and don't seem to be shared hosts. I would strongly recommend blocking them.

No comments: