Tuesday, January 31, 2017

Our USPS courier can not contact you parcel # 781125158 (Virus)


Your parcel was successfully delivered at Fri, 27 Jan 2017 12:42:51 +0300
to USPS Station, but our courier cound not contact you.
You can find more details in this e-mail attachment!

All the best.
Alishia Rawe - USPS Station Manager.


Email analysis :

NOTE : afoytaay7@maurerfunerals.com.au
NOTE : Received : from maurerfunerals.com.au
NOTE : (194-28-243-94.pppoe.scatplus.ru [])

File analysis :

OPEN : Delivery-Details.zip
SHA256 : 0ec1592225d89afbe04e8d15a16dfbd95b45864e31a60b0dea1d0529367acf50

Virus analysis :

ALYac : Trojan.JS.Downloader.HMV
Ad-Aware : Trojan.JS.Downloader.HMV
AegisLab : Troj.Downloader.Script!c
AhnLab-V3 : JS/Obfus
Antiy-AVL : Trojan[Downloader]/JS.Nemucod
Arcabit : Trojan.JS.Downloader.HMV
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.JS.Downloader.HMV
CAT-QuickHeal : JS.Nemucod.BQN
Cyren : JS/Agent.WN!Eldorado
DrWeb : JS.DownLoader.3302
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CBS
Emsisoft : Trojan.JS.Downloader.HMV (B)
F-Prot : JS/Agent.WN!Eldorado
F-Secure : Trojan.JS.Downloader.HMV
Fortinet : JS/Nemucod.D27C!tr
GData : Trojan.JS.Downloader.HMV
Ikarus : Trojan-Downloader.JS.Nemucod
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.on
McAfee-GW-Edition : JS/Nemucod.on
eScan : Trojan.JS.Downloader.HMV
Microsoft : TrojanDownloader:JS/Nemucod
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Rising : Downloader.Nemucod!8.34-jtWRudNFo0M (cloud)
Sophos : JS/DwnLdr-RHP
Symantec : Trojan.Gen.7
Tencent : Js.Trojan.Raas.Auto

File analysis :

The file contains 3 elements,

- 1 JS script Delivery-Details.js
- 2 blank filename with hashed content.

To have more information about this virus, contact me contact@scam.cz

Ms.Ella Golan

I am Ms.Ella Golan, I am the Executive Vice President Banking Division with FIRST INTERNATIONAL BANK OF ISRAEL LTD (FIBI). I am getting in touch with you regarding an extremely important and urgent matter. If you would oblige me the opportunity, I shall provide you with details upon your response.

Ms.Ella Golan

Email analysis :

NOTE : jgonzalez@conacyt.gov.py
NOTE : egolan001@gmail.com
NOTE : Received : from [] (unknown [])
NOTE : by correo.conacyt.gov.py (Postfix)
NOTE : conacyt.gov.py

NOTE : A government website was used to relay this scam.

Blocked Transaction. Case No 482168537 (Virus)

The Automated Clearing House transaction (ID: 765241823), recently initiated
from your online banking account, was rejected by the other financial

Canceled ACH transaction
ACH file Case ID 207878605
Transaction Amount 1220.03 USD
Sender e-mail cyogmu18381025@southwoodchurch.org
Reason of Termination See attached statement

Email analysis :

NOTE : cyogmu18381025@southwoodchurch.org
NOTE : client-ip=;
NOTE : Received : from southwoodchurch.org
NOTE : (h83-174-220-43.static.bashtel.ru [])

Open file :

OPEN : document_1.zip
EXTRACT : Empty file...
NOTE : Weird...

[Alibaba Inquiry Notification] Andrew Krivenko has sent you an inquiry (Alibaba Phishing)

www.Alibaba.com Trade Center IP:182.***.***.40 温馨提示:该买家设置了隐私保护,我们提供了代理邮箱帮助您与买家取得联系,现在您可以直接回复该邮件,但注意请不要删除本邮件任何内容否则会无法联系上买家。Andrew Krivenko from UKRAINE has sent you an inquiry View Details Manage Your Orders Jacky Lui Andrew Krivenko


Dear. Sir

We are Ukraine company. Please i want to know if you have the attached sample in stock and how long it takes to ship to Ukraine we want to place order immediately. Please reply to our email.

Best Regards
Mr. Krivenko

Company Name. U.E.E.S.I.
President. Krivenko
Mobile. 380-10-9118-3105
Company Phone. 380-32-819-3318
Company Fax. 380-32-819-3317
e-mail. import@ueesi.com
WeChat ID : kriven010911383105
attach.png It contains an attachment. Please sign into Trade Center to check it.


1. Tips for International Trading on Alibaba.com
2. Some top tips for safe trading on Alibaba.com

Recent Activity on Alibaba.com:

1. Pipelines for ordering on Alibaba.com
2. Recent new functions and promotions on Alibaba.com

Email Setting | Customer Services |
Help center | My Alibaba
You received this email because you are registered on Alibaba.com
Read our Privacy Policy and Terms of Use
Alibaba.com Hong Kong Limited.
26/F Tower One, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong
Tel: (+852) 2215-5100

電話:(+852) 2215-5100

Screenshot of the phishing :

Email analysis :

NOTE : feedback@service.alibaba.com
NOTE : client-ip=;

Phishing analysis :

CLICK : VIEW Details
OPEN : http://sanantoniodenia.es/94582
REDIRECT : http://iluni-psiui.org/*
NOTE : This Account has been suspended.
NOTE : @AlibabaGroup phishing attempt. | #Alibaba #Phishing

Reply (Phishing)

Dear *@*

We noticed that you are running very low on storage volume.

Kindly verify email with the server to ensure smooth mailing experience.

click here to increase more free data

When data get's to 100% used it will lead to certain mail malfunctions and lost of files in the near future.

Storage Mail Help Desk.
This email can't receive replies.

Email analysis :

NOTE : williamnicole.co.za
NOTE : info@williamnicole.co.za
NOTE : Received : from 199-255-214-84.anchorfree.com
NOTE : ([]

Phishing analysis :

CLICK : click here to increase more free data
OPEN : https://www.wefirstbranding.com/newsletters/issue55/shl/boxMrenewal.php?Email=*@*&.rand=*&lc=*&id=*&mkt=en-us&cbcxt=mai&snsc=1
NOTE : Phishing was removed.