Sponsored by..

Showing posts with label PDFs. Show all posts
Showing posts with label PDFs. Show all posts

Monday 8 June 2015

Malware spam: "Bank payment" / "sarah@hairandhealth.co.uk"

This fake financial spam does not come from SBP Hair and Health but is a simple forgery with a malicious attachment.
From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment

Dear customer

Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757.  With thanks.

Kind regards

Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:

This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs: (Digital Ocean, Netherlands) (Selectel, Russia) (Global Telecommunications Ltd, Russia) (Internet Thailand Company Limited, Thailand) (RuWeb, Russia)

The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:


Friday 24 April 2015

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:


..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to: (RuWeb CJSC, Russia) (TheFirst-RU, Russia) (TheFirst-RU, Russia) (StarNet SRL, Moldova)

In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:

Sample MD5s:

Wednesday 17 September 2014

The Furniture Market "TFM Confirmation - Order R12003585" spam

This fake order confirmation is not from The Furniture Market (thefurnituremarket.co.uk). It has a malicious PDF file attached to it that you should not open. The Furniture Market's computer systems have not been compromised.

From:     Marc - The Furniture Market [marc@thefurnituremarket.co.uk]
Date:     17 September 2014 15:40
Subject:     TFM Confirmation - Order R12003585

Good afternoon,

  Thank you for your order.  Please find attached to this mail, confirmation of the products ordered and collected from us earlier today.

  Should you have any further queries, then please do not hesitate to contact us.

Kind Regards,

Marc Chadwick

The Furniture Market
( Tel: 01829 759 259
* Email:marc@thefurnituremarket.co.uk
: web: www.thefurnituremarket.co.uk 

VAT No. 904103182  │ Company No. 6491540

  new-signiture (2)

Please consider the environment before printing this e-mail

find us on facebooktwitter-logo-follow1 trustpilot-coolpriser

It is trivially easy to fake who an email message is "From", and this email looks very convincing which makes me suspect that the bad guys have based it on a real message, possibly harvested from a hacked computer.

The attachment is IR12003585-001.pdf which is a malicious PDF file with a VirusTotal detection rate of 10/54. The VT report indicates that it is using vulnerability CVE-2013-2729 to execute malicious code. If you are using an up-to-date version of Acrobat Reader (or an alternative PDF reader) then there is a good chance that you will be OK.

The Furniture Market gets considerable kudos in my book for being very on the ball and having a great big warning notice on their site. Hopefully they are just as efficient when it comes to delivering furniture!

Thursday 4 September 2014

sage.co.uk "Invoice_7104304" spam

This fake invoice from Sage is actually a malicious PDF file:
From:     Margarita.Crowe@sage.co.uk [Margarita.Crowe@sage.co.uk]
Date:     23 July 2014 10:31
Subject:     FW: Invoice_7104304

Please see attached copy of the original invoice (Invoice_7104304).
Attached is a file sage_invoice_3074381_09042014.pdf which is identical to the payload for this Companies House spam circulated earlier.

Companies House "(AR01) Annual Return received" spam

This fake Companies House spam comes with a malicious attachment.

From:     Companies House [web-filing@companies-house.gov.uk]
Date:     4 September 2014 10:58
Subject:     (AR01) Annual Return received

Thank you for completing a submission Reference # (1650722).

    (AR01) Annual Return

Your unique submission number is 1650722
Please quote this number in any communications with Companies House.

Check attachment to confirm acceptance or rejection of this filing.

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.

Once accepted, these changes will be displayed on the public record.

Not yet filing your accounts online? See how easy it is...

For enquiries, please telephone the Service Desk on +44 (0)303 1234 500 or email enquiries@companieshouse.gov.uk

This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message.

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.. so it may well be that if your version of Acrobat is up-to-date then you will be OK, as you will probably be if you use another PDF reader.

Wednesday 27 August 2014

"Customer Statements" malware spam

This brief spam has a malicious PDF attachment:

Fom:     Accounts [hiqfrancistown910@gmail.com]
Date:     27 August 2014 09:51
Subject:     Customer Statements

Good morning,attached is your statement.
My regards.

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55. Analysis is pending.

"Morupule Coal Mine" malware spam

This fake invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.

From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date:     27 August 2014 10:43
Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14

Hello ,   

Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.

Thank you      

Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine
Private Bag 35
Tel:  +267 494 1204
Cell: +267 71373569
Fax:  +267 4920643

Debswana Diamond Company Email Disclaimer: The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and the sender cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments.

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a hacked machine in India.

The attachment has a VirusTotal detection rate of 5/54. My PDF-fu isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious.

Wednesday 30 July 2014

QuickBooks "Important - Payment Overdue" spam has a malicious PDF attachment

This fake QuickBooks Invoice spam comes with a malicious payload:

From:     QuickBooks Invoice [auto-invoice@quickbooks.com]
Date:     29 July 2014 23:08
Subject:     Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 07/30/2014 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Josephine Shirley

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
The attached file (in this case invoice_7564675_07292014.pdf) contains an exploit with a VirusTotal detection rate of 7/53. I haven't had a chance to analyse the exploit myself yet.

Wednesday 18 June 2014

Lloyds Bank Commercial Finance "Customer Account Correspondence" spam

Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
From:     Lloyds Bank Commercial Finance [customermail@lloydsbankcf.co.uk]
Date:     18 June 2014 12:48
Subject:     Customer Account Correspondence

This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please contact the individual or customer care team whose details appear on the statement.

This email message and its attachment has been swept for the presence of computer viruses.

Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance.co.uk
Ensuring that your PDF reader is up-to-date may help to mitigate against this attack.

Wednesday 14 April 2010

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.


The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

Wednesday 13 January 2010

Convincing look OWA fake leads to PDF exploit

There are getting spammed out at the moment:

From: automailer@blahblah.blah [mailto:automailer@blahblah.blah]
Sent: 13 January 2010 11:08
To: Victim Username
Subject: The settings for the username@blahblah.blah mailbox were changed

Dear user of the blahblah.blah mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:


Best regards, blahblah.blah Technical Support.


The displayed link isn't the actual link, underneath it points to something like:

Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.

There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.

Sender names include:
  • operator@
  • support@
  • notifications@
  • no-reply@
  • system@
  • alert@
  • info@
..all on your local domain, obviously.

Subjects include:
  • The settings for the blah@blah.blah mailbox were changed
  • The settings for the blah@blah.blah were changed
  • A new settings file for the blah@blah.blah mailbox
  • A new settings file for the blah@blah.blah has just been released
  • For the owner of the blah@blah.blah e-mail account
  • For the owner of the blah@blah.blah mailbox

Some domains in use on this are:
  • vcrtp1.eu
  • vcrtp21.eu
  • vcrtprsa21.eu
  • vcrtpsa21.eu
  • vcrtrsa21.eu
  • vcrtrsr21.eu
  • vcrtrsrp2.eu
  • vcrtrsrp21.eu
..there are probably many more of a similar pattern.

WHOIS details are fake:
Quezada, Ramon
1800 N. Bayshore Drive
33132 Roma
Domains are on a fast flux botnet, so there's no point listing IPs. However, nameservers are as follows:
ns1.raddoor.com [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net [Verizon Internet Services Inc, Whitesboro]

Registrant details for raddoor.com are probably bogus:

edmund pang figarro77@gmail.com
751 kinau st. #30
Phone: +1.8085362450
Registration details for elkins-realty.net are DEFINITELY bogus:
Name : B O
Organization : B O
Address : 123 elm str.
City : Los Angeles
Province/State : beijing
Country :
Postal Code : 23456
Phone Number : 86--8586104812
Fax : 86--8586104819
Email : BO.la@yahoo.com
Once your machine is infected, it probably gets infected with a Zbot variant as in these two previous examples.

Wednesday 14 October 2009

Suspect ad network leads to PDF exploit

This was picked up from an ad apparently running on grooveshark.com

An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.

The next step is:

This domain is protected by DomainsByProxy, registered in December 2007 and is hosted

The site has the following contact details:

Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9



Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.

After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2

firedogred.com is registered to:

Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on and (both NTT America, Inc).

The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377

sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.

show.sheathssubtotal.info is dual homed on, (both NTT America, Inc).

Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}

neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on at some outfit called Linode.

Yet another hop, this time to winckag.com which is currently down but was hosted on (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)

The owners of winckag.com have something to hide..

96 Mowat Ave
Toronto, ON M6K 3M1

Domain name: WINCKAG.COM

Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1

Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.

Registrar Domain Name Help Center:

Domain servers in listed order:

This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on,, (some sort of cloud hosting) and then loads the following:

Those nameservers on are interesting, that's PanamaServer.com who are well known for supporting malware.

Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.

You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.

Wednesday 24 September 2008

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
Domain Name
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Registrant ID
Registrant Name
Registrant Organization
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Registrant State/Province
Registrant Postal Code
Registrant Country
Registrant Phone
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email


Name Server
Name Server
The domain itself is on which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.

Tuesday 3 June 2008

Some people are stupid

A classic post over at the F-Secure blog where some muppet "hacker" accidentally emailed out their malware generation tool and put it right into the hands of anti-virus researchers. To quote F-Secure, Hey, thanks. Keep up the good work.

On a more serious note, this tool is used to generate trojanised PDF files. So go and check that your version of Adobe Reader is up to date right now before doing anything else..