Date: Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From: USPS client manager Lelia Holden [reports@usps.com]
Subject: USPS delivery failure report
Priority: High Priority 1
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46.
The malicious binary has the following checksums:
| MD5 | df81b21e9526c571d03bc1fb189f233c |
| SHA1 | dd2fe390e3f16a7f12786799af927f62df6754c4 |
| SHA256 | db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a |
Comodo CAMAS reports some very unusual behaviour around LDAP registry keys, not present in the Anubis report or ThreatExpert report.
Update: a rather more comprehensive ThreatTrack report can be found here [pdf].
3 comments:
Sorry this isn't a comment on this particular notice - I am looking for some info on an email address and I don't know how else to communicate with you.
I have been getting subscription requests from this webpage
http://ymlp.com/subscribe.php?id=gjqmhqjgmgmghjubmhgquh
Can you tell me if it is something that I should be worrying about? I am running a scan at the moment for peace of mind - but the very strange address is panicking me a bit.
Many thanks
Terri
@Terri, ymlp.com is an email tracking link. The link seems harmless, but just says "You have entered an invalid e-mail address.". URLquery shows people searching for similar string (see http://urlquery.net/report.php?id=2190607). Looks safe, but I can't explain it.
Thanks very much Conrad, I appreciate your reply. Glad to hear nothing to worry about, but I started receiving this after the 'Russian hacker' ones stopped (eventually thank goodness - I was getting up to 60 a day), so I wonder if it is related?
Gotta love people with nothing better to do!! :-)
Post a Comment