From: Western Union Help Desk [mes@prosselltda.cl]
Reply-to: Western Union Help Desk [mes@prosselltda.cl]
Date: 26 October 2016 at 20:07
Subject: Proof
Dear All,
To comply with customer service standards, we need to have the Proof of Payment for the following attached transaction that has been marked as paid by one of your Locations.
Please e-mail us a copy of the ?To Receive Money Form? as a Proof of Payment. If no TRMF or reason for delay were received by the above mentioned due date, we will consider the Transaction as Paid in Error and will proceed to reinstate it accordingly charging Paying Account.
In case there are an Automatic Customer Receipt (ACR) and a Handwritten Form, please send us both.
Click To View Click to download Click to open on browser
Thanks
Shameer Illyas
| Agent Support Officer |
| Western Union Money Transfer |
In this case, the link in the email goes to:
linamhost.com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file, if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it won't run. VirusTotal identifies it as the Adwind Backdoor. The Malwr report shows it attempting to contact:
boscpakloka.myvnc.com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis. Check the Dropped Files section of the Malwr Report for more.
Personally, I recommend blocking all dynamic DNS domains such as myvnc.com in corporate environments. At the very least I recommend blocking 158.69.56.128.