Sponsored by..

Wednesday, 27 August 2014

"Morupule Coal Mine" malware spam

This fake invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.

From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date:     27 August 2014 10:43
Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14

Hello ,   

Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.

Thank you      

Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine
Private Bag 35
Tel:  +267 494 1204
Cell: +267 71373569
Fax:  +267 4920643

Debswana Diamond Company Email Disclaimer: The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and the sender cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments.

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a hacked machine in India.

The attachment has a VirusTotal detection rate of 5/54. My PDF-fu isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious.



Yes, beware - looks like a normal PDF


Yes, beware. Looks like a typical PDF.

Alistair Neil said...

Received: from [] (unknown [])
by my mail server (Postfix) with ESMTP id BDBE3276884
for ; Wed, 27 Aug 2014 13:24:43 +0100 (BST)
From: "Madikwe, Gladness"
To: my email removed
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Thread-Topic: Tax Invoice for Delivery Note 11155 dated 22.08.14
Thread-Index: Ac/AZtIfNVgZaQLbRBaiFsY8OcRf2A==
Date: Wed, 27 Aug 2014 08:34:20 -0400
Message-ID: <2C628BD334458645B75D0728AC60A86A07A8672F@DEBS-MCM-MRX-01.debswana.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []