Date: 15 October 2014 15:09
Subject: Shipping Information for [redacted]
Please see the shipping info
Processed on Oct 15/ 2014
This is to inform you that the package is being shipped to you. We also provided delivery terms to specified address.
Order number: 611541106
Order total: 3000.28 USD
Shipping date: Oct 16th 2014.
Please hit the button provided at the bottom to see more info about your package.
The link in the email goes to https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.
The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.
malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
Gl.exe -pGlue1 -d%temp%This executable has a VirusTotal detection rate of 2/53. It bombs out of automated analysis tools (see the Malwr report) possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.