Just got a new Email from so called DHL


Userlevel 7
Badge +56
I knew it was

so I saved the zip attachment in my downloads folder and uploaded to VirusTotal and I was the first to upload and scan the file and the detection was 7/46 and I scanned with WSA and was detected also! Very Cool!
 
https://www.virustotal.com/en/file/a0caaa4a73bd070889710bb333d28d1230ddaec6b0e0973e1cbb4bc62615cf11/analysis/1374786545/
 
[b] c:usersdanieldownloadsshipment_label_ca_oshawa.zip/shipment_label_ca_oshawa.exe [MD5: BAB9B74D424AD73F6E083FEADBF5D86F] [Flags: 00080001.7583] [Threat: W32.Downloader.Gen]
 


 
This is real world testing!


 
Cheers,
 
Daniel
 
Note: Please don't do this unless you know how to handle malware files it's best to delete the email.

12 replies

Userlevel 7
Badge +56
I just got another one and VirusTotal detects 6/46 I was the first to upload again: https://www.virustotal.com/en/file/d173a7460a81fd3c775a3ce85d0f55232c9136fcb4fcb30630fe332726deecfd/analysis/1375634320/
 


 
Also scanned with WSA and also detected!
[b] c:usersdanieldownloadsshipment_label_ca_oshawa.zip/shipment_label_ca_oshawa.exe [MD5: 4EDCAEE580404FB5E3769FD365CB3F23] [Flags: 00080001.9628] [Threat: W32.Downloader.Gen]
 
Note: VirusTotal is not as reliable for detections as it uses a command line scan and does use other AV features I use as a baseline only.
 
TH
Userlevel 7
Badge +56
I got another one today from so called DHL I was first to upload again 8/45 and WSA detects it also!
 
https://www.virustotal.com/en/file/cc011e55dea828c40a048f7708bf4a4633c9bef2d53f2144f57d276ab6dcb3f1/analysis/1376155258/
 
The thing is that last few have been very specific to the name of my City Oshawa.
 


 
 
 
 
Userlevel 7
Within the last few months I receive this Email from DHL about once every 2 weeks. They must be catching many people with this malware. Another reason I'm glad I have the Big "W" protecting me. 😉
Userlevel 7
Badge +56
Yes really! They can't do any damage as you got to click on the Download link so it's best just to delete them. But are yours specific to you City?
 
TIA,
 
Daniel
Userlevel 7
Yep, they sure are. Chesapeake, Va. That mail get directed into my spam folder. I don't open them because I know I have nothing coming in by DHL. It's been about a week since I got my last one that I deleted, so I'll probably be getting another within this week or next, I'll look at it closer when it comes in.
Userlevel 7
Badge +56
My ISP uses Yahoo mail for there email services but I was surprised is said my as my city next time I'm going to use a VPN to see if it's tracking the IP address?
 
Thanks Dave,
 
Daniel
Userlevel 7
Badge +56
I had one in my Deleted folder and it does follow your IP as I used a VPN and I got it from! But I tried a US address it would not download I also tried a UK address and it wouldn't download!
 
Daniel


 


 
And WSA detected and Deleted all!
 

Userlevel 7
Badge +56
I got another one from an Email but not DHL VT detects it 2/48 and also WSA! ;)
 
Great work Webroot as this is a real world test!
 
Mon 23-09-2013 14:45:00.0265    Infection detected: c:usersdanieldownloadscase_3521932.zip/case_09232013.exe [MD5: DB67FE09D2D6854ACC8583C644A816F4] [3/00080001] [W32.Trojan.Gen]
 
https://www.virustotal.com/en/file/fd5ac3025c654c9c878bf886a6a43c8fde32688122da55c2f678a46db6827bd2/analysis/1379961888/
 
Cheers,
 
Daniel
 



 
 
 
 
Userlevel 7
Badge
Yes, these fake invoices/PDFs from shipping companies routinely get 3/48.
 
My latest capture from today, which scored just two the first time I submitted it. I submitted the sample to 35+ companies a few hours ago. Only McAfeee has added the detection so far.
http://www.threatexpert.com/report.aspx?md5=db67fe09d2d6854acc8583c644a816f4
 
Disclaimer:
VirusTotal does not include deep heuristics engine since they use commandline based versions of scanners so the file would likely be picked up in the real world by some of the scanners listed. But still, 3/48 on an ongoing attack even after I notify the companies...not good.
Userlevel 7
You guys have all the fun POUT! I never get those emails. Sigh.
Userlevel 7
Badge +56
@ wrote:
 
Disclaimer:
VirusTotal does not include deep heuristics engine since they use commandline based versions of scanners so the file would likely be picked up in the real world by some of the scanners listed. But still, 3/48 on an ongoing attack even after I notify the companies...not good.
I fully agree it's only a baseline tool!
 
Daniel
Userlevel 7
@DavidP1970 wrote:
You guys have all the fun POUT! I never get those emails. Sigh.
I too because they are all caught by our company security solutions once they enter on our mail server, so these mails cannot pass through to my mailbox. As for my other private mailboxes, no problem as well.

Reply