This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)
Date: Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.
From: Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject: Invoice 739545
Please can you let me have a payment date for the attached March Invoice?
' (Main) 01884 242626 ' (Direct Dial) 01884 250764
Please consider the environment before printing
Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
Automated analysis tools   show attempted connections to the following URLs:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include
The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.
Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.
UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.
Automated analysis tools    show that this in turn downloads components from the following locations:
This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things   .
Because detection rates are still low, you might want to consider blocking the following domains:
UPDATE 2014-05-06 III:
Another downloaded file is:
This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis     shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.
Payload appears to be Gameover / P2P Zeus.
(btw, thanks to the #MalwareMustDie team for help!)
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of 8/50.
The PDF downloads a file from:
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:
Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary    shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
Thanks again to the #MalwareMustDie team for assistance!