Sponsored by..

Thursday, 5 February 2015

Malware spam: "Unable to deliver your item, #000022074" / "FedEx 2Day A.M"

This fake FedEx spam has a malicious script attached.

From:    FedEx 2Day A.M.
Date:    5 February 2015 at 15:01
Subject:    PETRO, Unable to deliver your item, #0000220741

FedEx ®
Dear Petro,

We could not deliver your item.
You can review complete details of your order in the find attached.

Yours sincerely,
Marion Bacon,
Delivery Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.
Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated [pastebin] but it is a bit clearer when deobfuscated [pastebin]. This script has a moderate detection rate of 9/56, and downloads a file from:
Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56. Automated analysis tools [1] [2] [3] don't give much of a clue as it has been hardened against analysis.

UPDATE: This tweet gives a bit more insight into the malware..
The malware dropped seems to be Boaxxe/miuref: ET TROJAN Miuref/Boaxxe Checkin {TCP} ->
So, I would definitely recommend blocking and also the domain coldserv24.com which is hosted on that server and may be malicious.



Nick Driver said...

ThreatExpert seems to think it also calls out to m.googlex[.]me and w.googlex[.]me


Ian Leigh said...

I opened the zip file in my android phone. Am I in trouble?

I have downloaded the zip to my laptop (without opening it) to scan it and try to find more info, but so far my antivirus and malware doesn't detect it.


Kristina Joy Honda said...

We were expecting a package and I opened it assuming there was something wrong. I have a macbook. I deleted the file and unzipped file. Is there anything else now to get rid ofd the virus?