Sponsored by..

Wednesday 1 October 2014

"Homicide Suspect - important" spam

Ohmigod, the New York City police have finally tracked me down for eviscerating that spammer in Times Square.

From:     ALERT@police.uk [ALERT@police-uk.com]
Date:     1 October 2014 08:49
Subject:     Homicide Suspect - important

Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version: 852065

The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):


The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.
Weirdly, the message comes from a police.uk email address and the link goes to a driving school in Australia. And it comes from which is an IP address in Kansas City.

Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55.  The Anubis report shows that the malware phones home to santace.com  which is probably worth blocking or monitoring. Other analyses are pending.

I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day.

No comments: