FedEx spam / PostalReceipt.zip

A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip

Date:      Tue, 27 Nov 2012 13:04:37 -0400
From:      "Office Mail" [no_replyFRL@cleveland.com]
Subject:      ID (I)JI74 384 428 2295 7492

FedEx   
  
Order: AX-7608-99659670234   
Order Date: Sunday, 25 November 2012, 10:35 AM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT


Best Regards, The FedEx Team.
  
� FedEx 1995-2012 

In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.

VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.

Update: here is another variant, downloading from  [donotclick]brandandreputation.net/NOHDPQWPJJ.html  (195.249.40.193, TeamInternet Denmark)

Date:      Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From:      "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject:      Tracking Number (A)PSO79 089 360 1947 4933

FedEx    
   
Order: MN-8474-09876452234    
Order Date: Sunday, 24 November 2012, 11:36 AM

Dear Customer,

Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.

Update 2:  another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.

Date:      Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From:      "Office Mail" [NoReply@baltimore.com]
Subject:      Tracking Number (K)IR46 545 922 5276 0059

FedEx    
   
Order: HD-5468-483254683    
Order Date: Monday, 25 November 2012, 03:41 PM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     

Update 3: yet another variant.. the payload wasn't working on this one though.

Date:      Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From:      "First-Class logistics" [NoReply.368@tucson.com]
Subject:      Number (N)GDE82 422 446 0527 6243



FedEx
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:

Date:      Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From:      "UPS Mail" [NOreplyEAY@baltimore.com]
Subject:      ID (P)NRB90 564 295 9947 6165

FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     

Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip

Date:      Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From:      "logistics UPS" [no.reply-UAC@losangeles.com]
Subject:      Tracking Detail (L)OK73 487 973 8524 5206


FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).

Date:      Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From:      "UPS Receipt" [NOreply.815@irvine.com]
Subject:      Tracking ID (T)SB58 793 555 5502 9056

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):

Date:      Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From:      "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject:      Tracking Detail (K)HW33 625 799 6339 9731

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.

Date:      Tue, 04 Dec 2012 05:13:30 -0600
From:      "U.P.S.Service" [no_replyQQW@tampa.com]
Subject:      Tracking Number (X)SO21 772 224 4605 7903

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Update 9: another slightly different version, this one 404s:

Date:      Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From:      "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject:      ID (I)PFP44 818 840 9369 1257

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.

Date:      Wed, 05 Dec 2012 13:21:13 -0400
From:      "logistics UPS" [no.replyDD@cincinnati.com]
Subject:      Tracking Number (O)UBF96 497 677 7945 1347

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.

Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333 

Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt
[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt

Update 12: another version with a tweaked malicious binary:

Date:      Fri, 07 Dec 2012 08:33:17 -0400
From:      "UPS Receipt" [NOreply.IDH@riverside.com]
Subject:      ID (D)RH64 621 035 9749 7042

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447 

Update 13:  another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.

Date:      Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From:      "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject:      Tracking Detail (Y)VH30 307 516 2676 5647

FedEx    
Order: SGH-3818-3779326179    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

====================

Date:      Sat, 08 Dec 2012 14:11:29 -0700
From:      "UPS Receipt" [NOreply.094@shreveport.com]
Subject:      Number (X)UJ39 079 034 0694 8327

FedEx    
   
Order: SGH-0987-4616781861    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283

Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt

Update 14: just in time for Christmas..

Date:      Tue, 25 Dec 2012 00:07:07 +0200
From:      "Office 852" [mu-852@orlando.com]
Subject:      Tracking Detail (193)92-193-193-9477-9477

FedEx    
   
Order: VGH-4658-1148074435    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.

The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.

Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.

From:     Express Mail Service [user-989@louisville.com]
date:     26 December 2012 10:46
subject:     Tracking ID (580)53-580-580-3103-3103

FedEx    
   
Order: VGH-2024-9642451224    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.

Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.

Date:      Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From:      "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To:      [redacted]
Subject:      Tracking Number (I)FG03 107 566 0859 2689

FedEx    
   
Order: HJF-8295-96674032    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

================


Date:      Sat, 05 Jan 2013 19:25:48 -0400
From:      "Worldwide Express Mail" <support.800@portland.com>
To:      [redacted]
Subject:      Number (M)EG25 627 586 0611 4432

*+++
FedEx   
   
Order: HJF-9667-27583280    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From:      "First-Class Mail Postal Service" <support.813@baltimore.com>
To:      [redacted]
Subject:      Number (V)TGS29 427 081 6880 9243

FedEx    
   
Order: HJF-3918-81582364    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 09:05:00 -0400
From:      "First-Class Mail Service" <DTU.160@baltimore.com>
To:      [redacted]
Subject:      Tracking Detail (S)JYD60 835 496 0448 5921

FedEx    
   
Order: HJF-8882-94725648    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt

Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.

Update 17: and more, this time with the following details:

Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460

Order: HJF-4121-39707012
Order: HJF-2424-11089225

[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt

 Update 18: another spam run, detection rates are a bit better for this one:

Date:      Wed, 09 Jan 2013 06:35:16 +0200
From:      "Shipping Service" [IAL_792@chesapeake.com]
Subject:      Tracking Detail (V)QT48 601 848 0556 8882

FedEx    
   
Order: JN-3254-98757378    
Order Date: Thursday, 3 January 2013, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591

Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt

Update 19: another spam run with the following characteristics:

Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report

Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783

Date:      Sun, 27 Jan 2013 13:09:22 +0100
From:      "Priority Mail Postal Service" [clients-669@columbus.com]
Subject:      Number (L)BVT74 159 159 2182 2182

Fed Ex    
   
Order: HCD-7626-14749451    
Order Date: Thursday, 17 January 2013, 11:10 AM

Dear Customer,

Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
FedEx 1995-2012    

Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.

Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.

Date:      Tue, 05 Feb 2013 19:20:36 -0400
From:      "Manager David Riddle" [manager@tampa.us]
Subject:      Order Detail

FedEx    
   
Tracking ID: 4013-85911016    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    

Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.

Date:      Wed, 06 Feb 2013 18:29:28 -0400
From:      "Manager William Burt" [service@greensboro.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 5739-64600336    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013     

According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:

46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194

Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:

From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx    
   
7475-42208096     Monday, 4 January 2013, 08:24 AM

Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.    
          Print Receipt

Best Regards, The FedEx Team.        
       
FedEx 1995-2013        

Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.

Date:      Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From:      "Manager Daniel Acevedo" [manager@lexington.us]
Subject:      Order Information

FedEx    
   
Tracking ID: 2803-20131928    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 

Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.

Date:      Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From:      "Manager William Burt" [client@wichita.us]
Subject:      Shipping Service

FedEx    
   
Tracking ID: 2890-49318193    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 

Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.

Date:      Fri, 15 Feb 2013 10:44:44 -0400
From:      "Manager Jayden Soto" [manager@norfolk.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 4374-23102840    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    

According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178

Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.

Date:      Wed, 20 Feb 2013 10:00:38 -0400
From:      "Manager Mason Marsh" [service@anaheim.us]
Subject:      Order Shipped

FedEx    
   
Tracking ID: 9702-66479247    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 

According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32


Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.

Date:      Wed, 13 Mar 2013 05:54:18 -0700
From:      "Manager Liam Ortega" [support@lincoln.us]
Subject:      Tracking Information

FedEx    
   
Tracking ID: 6673-95490112    
Date: Monday, 4 March 2013, 10:22 AM

Dear Client,

Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

 Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 

According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080