Sponsored by..

Wednesday 24 April 2013

American Express spam / SecureMail.zip

Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.

Date:      Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From:      American Express [Christian_Frey@aexp.com]
Subject:      Confidential - Secure Message from AMEX

                            Secure Message                                                                                                   
                                            The security of your personal information is of the utmost
importance to American Express, so we have sent the attached as a secure electronic file.
                       Note: The attached file contains encrypted data.                  
                 If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.                        The
information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited.                                                                 Thank you,           
American Express                                                                                                                   
                2012 American Express Company. All rights reserved.                                        
                                                              ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,

The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46 at VirusTotal. Comodo CAMAS doesn't tell us much except that it seems to phone home to angels-mail.com and has the following checksums:


What about angels-mail.com then? Well, it looks like a legitimate domain hosted on (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf].

Recommended blocklist:

No comments: