From: Info via DropboxThe email has been digitally signed by Dropbox (which means exactly nothing) and is spoofing the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before.
Date: 25 February 2015 at 05:38
Subject: Info Chemicals shared "MT 103_PO_NO!014.zip" with you
Signed by: dropbox.com
"Good day ,
How are you today
pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602
This electronic mail transmission may contain material that is legally privileged and confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient or the employee or agent responsible for delivery of this message to the intended recipient, you are hereby notified that any disclosure, copying, dissemination, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by responding to this electronic mail and then delete all copies including any attachments thereto from your computer, disk drive, diskette, or other storage device or media.
Maritim Barito Perkasa does not accept any liability in respect of communication made by its employee that is contrary to company policy or outside the scope of employment of the individual concerned."
Click here to view
(Info shared these files using Dropbox. Enjoy!)
In this case, the link in the email goes to:
and then to
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57. According to the Malwr report it drops another executable with a detection rate of 9/57. The payload looks similar to the Zeus trojan.
Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
onion.am is hosted on 126.96.36.199 (YISP Colo, Netherlands) and I suggest this isn't the sort of thing that you want on your corporate network regardless of its legitimate uses.
Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com who are normally quite good at dealing with this sort of thing.