Tuesday, November 28, 2017

*@* - recibo de pago según lo acordado!

Hola.

Como habíamos conversado el día 21/11/2017 Se ha efectuado la transferencia a su cuenta sobre la anulación de la compra, Por favor verifique.

Nota: Usted puede imprimir el recibo Clicando Aquí

B&F - Abogados Asociados - CL

Email analysis :

NOTE : abogados82734.com@live.com
NOTE : root@live.com
NOTE : root@live.com does not designate 173.255.211.90 as permitted sender


Phishing analysis :

CLICK : Clicando Aquí
STUDY LINK : https://bit.do/dUvpv?*@*.com
REMOVE EMAIL : https://bit.do/dUvpv
ADD - : https://bit.do/dUvpv-
SCREENSHOT :


DOWNLOAD : http://inmisrad.org/Comprobante.zip
FILE : VIRUS

Virus :

Cyren : JS/Downldr.ES2!Eldorado
DrWeb : VBS.Psyme.126
ESET-NOD32 : JS/TrojanDownloader.Banload.RM
F-Prot : JS/Downldr.ES2!Eldorado
Ikarus : Win32.Outbreak
Kaspersky : HEUR:Trojan.Script.Agent.gen
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Qihoo-360 : virus.js.qexvmc.1080
Rising : Downloader.Banload!8.15B (TOPIS:acBkcffG9cJ)
Symantec : JS.Downloader!gen40
ZoneAlarm : HEUR:Trojan.Script.Agent.gen

Paste :

PASTE : https://pastebin.com/upZWkBFT

Friday, November 3, 2017

Emailing: MD10 - 01.11.2017 (Virus)

Your message is ready to be sent with the following file or link
attachments:
MD10 - 01.11.2017

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your
e-mail security settings to determine how attachments are handled.

--
Thanks & Regards
Eric Sherwin
Senior Officer
Accounts & Finacne

MD10 - 01.11.2017.doc

Email analysis :

NOTE : Eric_dhiman@dickscheid.net
NOTE : Received : from 84.120.144.159.dyn.user.ono.com
NOTE : (84.120.144.159.dyn.user.ono.com [84.120.144.159])


NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Thunderbird/27.0

File analysis :

- OPEN : MD10 - 01.11.2017.doc
- FILE MD10 - 01.11.2017.doc is a virus

Virus analysis :

{"scans": {"Bkav": {"detected": false, "version": "1.3.0.9367", "result": null, "update": "20171102"}, "TotalDefense": {"detected": false, "version": "37.1.62.1", "result": null, "update": "20171102"}, "MicroWorld-eScan": {"detected": false, "version": "14.0.297.0", "result": null, "update": "20171103"}, "nProtect": {"detected": false, "version": "2017-11-03.01", "result": null, "update": "20171103"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20171102"}, "CAT-QuickHeal": {"detected": false, "version": "14.00", "result": null, "update": "20171102"}, "McAfee": {"detected": false, "version": "6.0.6.653", "result": null, "update": "20171031"}, "Malwarebytes": {"detected": false, "version": "2.1.1.1115", "result": null, "update": "20171103"}, "VIPRE": {"detected": false, "version": "62170", "result": null, "update": "20171103"}, "SUPERAntiSpyware": {"detected": false, "version": "5.6.0.1032", "result": null, "update": "20171103"}, "TheHacker": {"detected": false, "version": "6.8.0.5.2121", "result": null, "update": "20171102"}, "Alibaba": {"detected": false, "version": "1.0", "result": null, "update": "20170911"}, "K7GW": {"detected": false, "version": "10.29.25124", "result": null, "update": "20171102"}, "K7AntiVirus": {"detected": false, "version": "10.29.25131", "result": null, "update": "20171102"}, "Baidu": {"detected": true, "version": "1.0.0.2", "result": "Win32.Trojan-Downloader.Agent.kn", "update": "20171103"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "LNK/Downldr.gen", "update": "20171103"}, "Symantec": {"detected": true, "version": "1.4.0.0", "result": "Trojan.Mdropper", "update": "20171102"}, "ESET-NOD32": {"detected": true, "version": "16347", "result": "LNK/TrojanDownloader.Agent.HW", "update": "20171103"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.950.0.1006", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "Avast": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "ClamAV": {"detected": true, "version": "0.99.2.0", "result": "Img.Dropper.PhishingLure-6362648-0", "update": "20171102"}, "Kaspersky": {"detected": true, "version": "15.0.1.13", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171102"}, "BitDefender": {"detected": true, "version": "7.2", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "NANO-Antivirus": {"detected": false, "version": "1.0.100.19905", "result": null, "update": "20171103"}, "ViRobot": {"detected": true, "version": "2014.3.20.0", "result": "DOC.Z.Agent.132562", "update": "20171103"}, "Tencent": {"detected": false, "version": "1.0.0.1", "result": null, "update": "20171103"}, "Ad-Aware": {"detected": false, "version": "3.0.3.1010", "result": null, "update": "20171103"}, "Emsisoft": {"detected": true, "version": "4.0.1.883", "result": "Trojan.Agent.CPMC (B)", "update": "20171103"}, "Comodo": {"detected": false, "version": "27990", "result": null, "update": "20171103"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "DrWeb": {"detected": true, "version": "7.0.28.2020", "result": "PowerShell.DownLoader.455", "update": "20171103"}, "Zillya": {"detected": false, "version": "2.0.0.3420", "result": null, "update": "20171102"}, "TrendMicro": {"detected": true, "version": "9.862.0.1074", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "McAfee-GW-Edition": {"detected": false, "version": "v2015", "result": null, "update": "20171103"}, "Sophos": {"detected": true, "version": "4.98.0", "result": "Mal/DownLnk-D", "update": "20171103"}, "Cyren": {"detected": true, "version": "5.4.30.7", "result": "ZIP/Trojan.VNUH-5", "update": "20171103"}, "Jiangmin": {"detected": false, "version": "16.0.100", "result": null, "update": "20171103"}, "Webroot": {"detected": false, "version": "1.0.0.207", "result": null, "update": "20171103"}, "Avira": {"detected": true, "version": "8.3.3.6", "result": "TR/Agent.cznoe", "update": "20171103"}, "Fortinet": {"detected": true, "version": "5.4.247.0", "result": "LNK/Agent.AG!tr.dldr", "update": "20171103"}, "Antiy-AVL": {"detected": false, "version": "3.0.0.1", "result": null, "update": "20171103"}, "Kingsoft": {"detected": false, "version": "2013.8.14.323", "result": null, "update": "20171103"}, "Arcabit": {"detected": true, "version": "1.0.0.827", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AegisLab": {"detected": true, "version": "4.2", "result": "Troj.Winlnk.Agent!c", "update": "20171103"}, "ZoneAlarm": {"detected": true, "version": "1.0", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171103"}, "Avast-Mobile": {"detected": false, "version": "171102-04", "result": null, "update": "20171102"}, "Microsoft": {"detected": true, "version": "1.1.14306.0", "result": "TrojanDownloader:O97M/Donoff!lnk", "update": "20171103"}, "AhnLab-V3": {"detected": true, "version": "3.10.1.19128", "result": "LNK/Autorun.Gen", "update": "20171102"}, "ALYac": {"detected": false, "version": "1.1.1.2", "result": null, "update": "20171103"}, "AVware": {"detected": false, "version": "1.5.0.42", "result": null, "update": "20171102"}, "MAX": {"detected": true, "version": "2017.6.26.1", "result": "malware (ai score=99)", "update": "20171103"}, "VBA32": {"detected": false, "version": "3.12.26.4", "result": null, "update": "20171102"}, "WhiteArmor": {"detected": false, "version": null, "result": null, "update": "20171024"}, "Zoner": {"detected": true, "version": "1.0", "result": "LNKScript", "update": "20171103"}, "Rising": {"detected": true, "version": "25.0.0.1", "result": "Trojan.Downloader!1.A420 (CLASSIC)", "update": "20171103"}, "Yandex": {"detected": false, "version": "5.5.1.3", "result": null, "update": "20171102"}, "Ikarus": {"detected": true, "version": "0.1.5.2", "result": "Trojan-Downloader.PS.Agent", "update": "20171102"}, "GData": {"detected": true, "version": "A:25.14678B:25.10801", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AVG": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "Panda": {"detected": false, "version": "4.6.4.2", "result": null, "update": "20171102"}, "Qihoo-360": {"detected": false, "version": "1.0.0.1120", "result": null, "update": "20171103"}}, "scan_id": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f-1509678306", "sha1": "c10cb42d1ba7732c73c9928bd16ccfd1a161f6d6", "resource": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "response_code": 1, "scan_date": "2017-11-03 03:05:06", "permalink": "https://www.virustotal.com/file/db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f/analysis/1509678306/", "verbose_msg": "Scan finished, information embedded", "total": 61, "positives": 29, "sha256": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "md5": "a54eae632f1557f5104f57c2a87fd144"}

Thursday, August 24, 2017

About Payment 23-08-2017

Good day,

We have been instructed by your customer to make this transfer to you. Please we are very sorry for the delay in the payment, it was due to the Holidays. Attached is the Payment remittance copy for your reference.Please confirm for errors and get back to us through email.

Best Regards,
DANIEL MURRAY
Sharaf Exchange LLC.
Address:Sharaf Exchange Shop No. G15,
Union Co-Op Society,
Al Aweer,Near Fruit and Vegetable Market, Ras Al Khor, Dubai - UAE
Phone No:04-3200698
Website: http://www.sharafexchange.com

IMG-051220378052.DOC

Email analysis :

NOTE : danielmurray@mail.ru
NOTE : Received : from [104.243.26.4] (port=51917 helo=User)


NOTE : by shared.buxar-host.in
NOTE : bylinkove-zdravi@seznam.cz

Virus analysis :

Ad-Aware W97m.Downloader.GCK
AhnLab-V3 W97M/Downloader
BitDefender W97m.Downloader.GCK
DrWeb W97M.DownLoader.1802
eScan W97m.Downloader.GCK
F-Secure W97m.Downloader.GCK
GData W97m.Downloader.GCK
Ikarus Trojan-Downloader.VBA.Agent
MAX malware (ai score=81)
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

317061979269082.doc (Virus)

317061979269082.doc

Email analysis :

NOTE : Return-Path: < noreply@xo.net >
NOTE : identity=mailfrom; client-ip=208.36.229.61;
NOTE : helo=xo.net; envelope-from=noreply@xo.net;
NOTE : Received: from xo.net (208.36.229.61.ptr.us.xo.net [208.36.229.61])
NOTE : Content-Type: application/msword; name="317061979269082.doc"
NOTE : From: < noreply@ulegv.com >
NOTE : 208.36.229.61.ptr.us.xo.net)

Virus analysis :

Ad-Aware W97M.Downloader.GDB
AegisLab Troj.Script.Agent!c
AhnLab-V3 W97M/Downloader
ALYac Trojan.Downloader.W97M.Gen
Arcabit HEUR.VBA.Trojan.e
Avast Other:Malware-gen [Trj]
AVG Other:Malware-gen [Trj]
Avira W97M/Dldr.Agent.mgjui
Baidu VBA.Trojan-Downloader.Agent.bup
BitDefender W97M.Downloader.GDB
Comodo UnclassifiedMalware
Cyren PP97M/Downldr
DrWeb W97M.DownLoader.1961
Emsisoft Trojan-Downloader.Agent (A)
eScan W97M.Downloader.GDB
ESET-NOD32 VBA/TrojanDownloader.Agent.DYZ
F-Prot New or modified PP97M/Downldr
F-Secure W97M.Downloader.GDB
Fortinet WM/Agent.Q!tr.dldr
GData W97M.Downloader.GDB
Ikarus Trojan-Downloader.VBA.Agent
Kaspersky HEUR:Trojan.Script.Agent.gen
MAX malware (ai score=99)
McAfee W97M/Downloader.cfm
McAfee-GW-Edition W97M/Downloader.cfm
Microsoft TrojanDownloader:O97M/Donoff
Panda O97M/Downloader
Sophos AV Troj/DocDl-KBA
Symantec W97M.Downloader
Tencent Win32.Trojan-downloader.Agent.Sxyr
TrendMicro W2KM_DLOADR.YYTCY
TrendMicro-HouseCall W2KM_DLOADR.YYTCY
ViRobot W97M.S.Agent.76249
ZoneAlarm HEUR:Trojan.Script.Agent.gen

Tuesday, January 31, 2017

Our USPS courier can not contact you parcel # 781125158 (Virus)

Hello,

Your parcel was successfully delivered at Fri, 27 Jan 2017 12:42:51 +0300
to USPS Station, but our courier cound not contact you.
You can find more details in this e-mail attachment!

All the best.
Alishia Rawe - USPS Station Manager.

Delivery-Details.zip

Email analysis :

NOTE : afoytaay7@maurerfunerals.com.au
NOTE : Received : from maurerfunerals.com.au
NOTE : (194-28-243-94.pppoe.scatplus.ru [194.28.243.94])


File analysis :

OPEN : Delivery-Details.zip
SHA256 : 0ec1592225d89afbe04e8d15a16dfbd95b45864e31a60b0dea1d0529367acf50
RESULT : FILE IS A VIRUS

Virus analysis :

ALYac : Trojan.JS.Downloader.HMV
Ad-Aware : Trojan.JS.Downloader.HMV
AegisLab : Troj.Downloader.Script!c
AhnLab-V3 : JS/Obfus
Antiy-AVL : Trojan[Downloader]/JS.Nemucod
Arcabit : Trojan.JS.Downloader.HMV
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.JS.Downloader.HMV
CAT-QuickHeal : JS.Nemucod.BQN
Cyren : JS/Agent.WN!Eldorado
DrWeb : JS.DownLoader.3302
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CBS
Emsisoft : Trojan.JS.Downloader.HMV (B)
F-Prot : JS/Agent.WN!Eldorado
F-Secure : Trojan.JS.Downloader.HMV
Fortinet : JS/Nemucod.D27C!tr
GData : Trojan.JS.Downloader.HMV
Ikarus : Trojan-Downloader.JS.Nemucod
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.on
McAfee-GW-Edition : JS/Nemucod.on
eScan : Trojan.JS.Downloader.HMV
Microsoft : TrojanDownloader:JS/Nemucod
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Rising : Downloader.Nemucod!8.34-jtWRudNFo0M (cloud)
Sophos : JS/DwnLdr-RHP
Symantec : Trojan.Gen.7
Tencent : Js.Trojan.Raas.Auto

File analysis :

The file contains 3 elements,

- 1 JS script Delivery-Details.js
- 2 blank filename with hashed content.

To have more information about this virus, contact me contact@scam.cz

Thursday, December 8, 2016

Message notification *@gmail.com (Link to virus)


Google

Nddcole Watddson (Google Support) just sent you a message:

06/12/2016

Undeliverable messages (*@gmail.com).

Get more information

Don't want occasional updates about Gmail activity? Change what email Google Team sends you.

Email analysis :

NOTE : Received : from server.oeirasdigital.pt
NOTE : (server.oeirasdigital.pt. [213.229.111.207])
NOTE : client-ip=213.229.111.207;


NOTE : X-Php-Originating-Script : 10000:bisend.php

Link analysis :

CLICK : Get more information
OPEN : http://projetomac.org/wp/Undeliverable_messages.html
DOWNLOAD A FILE : Undeliverable_messages.zip
INFORMATION : Undeliverable_messages.zip is a virus
SHA256 : be0908fbf059517f8ea204d1636e00a7810146fb9c920fc01bb4315b8e8e0067

Virus analysis :

AegisLab Troj.Downloader.Script!c
Arcabit HEUR.JS.Trojan.ba
Cyren JS/Nemucod.EY!Eldorado
F-Prot JS/Nemucod.EY!Eldorado
Fortinet Malware_Generic.P0
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 ) 20161208
Kaspersky HEUR:Trojan-Downloader.Script.Generic
Sophos Mal/DrodZp-A

Exposing virus :

PASTEBIN : http://pastebin.com/20PLKDCB
RAW : http://pastebin.com/raw/20PLKDCB



Tuesday, November 29, 2016

New incoming Fax from 908.8325722

You Have a new Fax message
From: 908.8145483
Receiving date: November 28, 2016
Pages: 3

You can view your message on our website:
https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802

Thank you for using RingCentral.

Link analysis :

CLICK : https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802
OPEN : http://787.vn/wp-content/themes/tourpackage-v1-02/backup/get.php?id=dGVzdEB0ZXN0LmNvbQ==
DOWNLOAD : fax_test.doc

File analysis :


OPEN : fax_test.doc
SHA256 : c0b3934b594a23dd88a42c0e96ccbbf7f88c633a19d82833d6d9bbf47630a0c1
RESULT : fax_test.doc is a virus

Virus analysis :

Avast : VBA:Downloader-DSL [Trj]
ClamAV : Doc.Dropper.Agent-1847249
Kaspersky : Trojan-Downloader.MSWord.Agent.avj
Qihoo-360 : virus.office.gen.70
Sophos : Troj/DocDl-FTZ
Symantec : W97M.Downloader

Email analysis :

NOTE : ringcentral@faxmessage.com
NOTE : 74.143.65.242 (rrcs-74-143-65-242.central.biz.rr.com)


NOTE : Mime-Version : 1.0

Tuesday, November 22, 2016

Your LogMein.com subscription has expired! (Virus)

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.

You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc

Please use another credit card or payment method in order to avoid complete service interruption.

Event type: Credit Card Declined
Account email: *.*
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs

Important Security Notice:
LogMeIn will never for your password or other sensitive information by email.

(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc

Virus analysis :

CLICK : https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc
OPEN : https://reg.vn/en/view_bill.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
DOWNLOAD : lgm_bill89831.doc
lgm_bill89831.doc : VIRUS


lgm_bill89831.doc analysis :

SHA256 : fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac
FILE : lgm_bill89831.doc
ALYac : Trojan.Downloader.W97M.Gen
Ad-Aware : W97M.Downloader.ESE
AegisLab : Troj.Downloader.Msword.Agent!c
Arcabit : W97M.Downloader.ESE
BitDefender : W97M.Downloader.ESE
Cyren : W97M/Nastjencro
ESET-NOD32 : VBA/Kryptik.T
Emsisoft : W97M.Downloader.ESE (B)
F-Prot : New or modified W97M/Nastjencro
F-Secure : Trojan:W97M/Nastjencro.A
GData : W97M.Downloader.ESE
Ikarus : Trojan-Downloader.VBA.Agent 20161121
Kaspersky : Trojan-Downloader.MSWord.Agent.auz
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
eScan : W97M.Downloader.ESE
Microsoft : TrojanDownloader:O97M/Donoff!map
Sophos : Troj/DocDl-FQK
Symantec : W97M.Downloader
Tencent : Win32.Trojan.Inject.Auto
TrendMicro : W2KM_HANCITOR.AUSTT
TrendMicro-HouseCall : W2KM_HANCITOR.AUSTT

Email analysis :

NOTE : billing@secure-lgm.com
NOTE : Received : from wsip-70-165-74-172.hr.hr.cox.net
NOTE : (HELO secure-lgm.com) (70.165.74.172)

Friday, November 18, 2016

RE: shipping done

We shipped your crap.
Here s the tracking invoice :
https://www.ups.com/?tracking_invoice=219371293129312& action=download

Let us know when it arrives.
Thanks

Phishing analysis :

CLICK : https://www.ups.com/?tracking_invoice=219371293129312& action=download
OPEN : http://invoice-portal.com/invoices/get.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
RESULT : Download a file called : inv11172016.doc

File analysis :

ESET-NOD32 : VBA/Kryptik.T
F-Secure : Trojan:W97M/Nastjencro.A
Fortinet : WM/Agent.5110!tr
Kaspersky : HEUR:Trojan.Script.Agent.gen
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Panda : O97M/Downloader 20161117
Qihoo-360 : virus.office.gen.75
Symantec : W97M.Downloader
TrendMicro : W2KM_HANCITOR.YYSXC
TrendMicro-HouseCall : W2KM_HANCITOR.YYSXC

inv11172016.doc is a virus.

Email analysis :

NOTE : Return-Path : < rm@restaurantcocotte.com >
NOTE : 162.252.121.130 ()
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : iPad Mail (11D169)
NOTE : Message-Id : < *@restaurantcocotte.com >
NOTE : Content-Type : text/html; charset="utf-8"
NOTE : Received : from unknown (HELO restaurantcocotte.com) (162.252.121.130)


NOTE : RE: shipping done

Wednesday, November 16, 2016

< no subject >


2016111105002973550858.zip

File analysis :

Download : 2016111105002973550858.zip
Result : 2016111105002973550858.zip is a virus.

Virus analysis :

ALYac Trojan.JS.Downloader.GYQ
AVG JS/Downloader.Agent.62_I
AVware Trojan-Downloader.JS.Nemucod.bbp (v)
Ad-Aware Trojan.JS.Downloader.GYQ
AegisLab Troj.Downloader.Js.Cryptoload!c
AhnLab-V3 JS/Obfus
Antiy-AVL Trojan/Generic.ASVCS3S.3F7
Arcabit Trojan.JS.Downloader.GYQ
Avast JS:Downloader-DSB [Trj]
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.od
BitDefender Trojan.JS.Downloader.GYQ
CAT-QuickHeal JS.Locky.JE
Cyren JS/Nemucod.CA2
DrWeb JS.DownLoader.1225
ESET-NOD32 JS/TrojanDownloader.Nemucod.BMK
Emsisoft Trojan.JS.Downloader.GYQ (B)
F-Prot JS/Nemucod.CA2
F-Secure Trojan.JS.Downloader.GYQ
Fortinet JS/Nemucod.BDA!tr
GData Trojan.JS.Downloader.GYQ
Ikarus Trojan-Downloader.JS.Nemucod
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 )
Kaspersky Trojan-Downloader.JS.Agent.nbi
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan Trojan.JS.Downloader.GYQ
Microsoft TrojanDownloader:JS/Nemucod!rfn
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
Rising Downloader.Cryptoload!8.7DA (topis)
Sophos Mal/DrodZp-A
Symantec Trojan.Gen.NPE
Tencent Js.Trojan.Raas.Auto
TrendMicro JS_NEMUCOD.SMK14
VIPRE Trojan-Downloader.JS.Nemucod.bbp (v)

Final result :

I opened the virus, and the raw version of this virus is here : http://pastebin.com/raw/FVM8wh4v

This virus sounds like a ransomware...

Email analysis :

NOTE : diann.laughton99@winterbrew.com
NOTE : User-Agent : Microsoft-MacOutlook/14.0.0.100825
NOTE : Received : from customer-SLRC-130-213.megared.net.mx
NOTE : (unknown [201.164.130.213])

Sunday, July 3, 2016

Tyler Butler sent you "Scanned Documents.zip"

Tyler Butler a file with you on Dropbox

The updated agreement with BDO

Scanned Documents.zip

Download

© 2016 Dropbox

Screenshot of the email :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : americanexpress@welcome.aexp.com
NOTE : 14.174.35.53


NOTE : Received : from static.vnpt.vn (unknown [14.174.35.53])

File analysis :

CLICK : Download
OPEN :

https://www.cubbyusercontent.com/pl/Scanned+Documents.zip/_08fa4c28262f424b970037c786caf840

DOWNLOAD : Scanned Documents.zip
RESULT : Scanned Documents.zip is a virus.

Virus analysis :

FILENAME : Scanned Documents.zip
SHA256 : 27d79850e1bae0d14a689e1d019ef6217d805189b04e486e3d54ed8a363d3689

====================================
Ad-Aware : Trojan.GenericKD.3363605
AegisLab : Troj.Generickd!c
Arcabit : Trojan.Generic.D335315
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3363605
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AGS
Emsisoft : Trojan.GenericKD.3363605 (B)
F-Secure : Trojan.GenericKD.3363605
Fortinet : JS/Nemucod.1509!tr
GData : Trojan.GenericKD.3363605
Ikarus : Trojan.Script
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.la
McAfee-GW-Edition : JS/Nemucod.la
eScan : Trojan.GenericKD.3363605
Microsoft : TrojanDownloader:JS/Nemucod.EW
Sophos : Troj/JSDldr-PH
====================================

Extraction of the zip : 3 files extracted.
Result : Scan001.js, Scan002.js, Scan003.js

File Scan001.js
File Scan002.js
File Scan003.js

Sunday, June 12, 2016

Samantha Gann sent you "Scan001.zip"

Samantha Gann a file with you on Dropbox

The updated agreement with AlixPartners

Scan001.zip

Download

© 2016 Dropbox

Email screenshot :


Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : Received : from unknown (HELO NNZCABJO) (1.47.202.181)


NOTE : Samantha Gann sent you "Scan001.zip"

File analysis :

CLICK : DOWNLOAD
OPEN : https://www.cubbyusercontent.com/pl/Scan001.zip/_6ec59f8ef081469e9dba0d304a99cb9d
FILENAME : Scan001.zip
RESULT : File is a virus.

Virus analysis :

SHA256: e68dfb45eb15d675073486679ac94cac1788ea5c54a3e39cb9cddddaf73a179e
FILENAME : Scan001.zip
AVG : Downloader.Generic_c.ALTL
Ad-Aware : Trojan.GenericKD.3298975
AegisLab : Exploit.Script.Generic!c
Arcabit : Trojan.Generic.D32569F
Avast : Other:Malware-gen [Trj]
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3298975
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.ADU
Emsisoft : Trojan.GenericKD.3298975 (B)
F-Secure : Trojan.GenericKD.3298975
Fortinet : JS/Nemucod.ET!tr.dldr
GData : Trojan.GenericKD.3298975
Ikarus : JS.Trojan-Downloader.Rogue
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Exploit.Script.Generic
McAfee : Generic.yd
McAfee-GW-Edition : Generic.yd
eScan : Trojan.GenericKD.3298975
Microsoft : TrojanDownloader:JS/Nemucod.AT
Rising : Exploit.Generic!8.3E1-aXLPd6nZxPO (Cloud)
TrendMicro : JS_NEMUCOD.QDA
TrendMicro-HouseCall : JS_NEMUCOD.QDA

Monday, May 9, 2016

DOCUMENT DE NON CONFORMITE (Virus)

Ci-joint le document de non conformité.

Bien � toi,
--



SCopieur VA9812357665355478.gz

Virus analysis :

SHA256 : 0235a1aded1737d8c89186b29a34610be835ff45f896091d6dcd6eb9a3152061
Filename : SCopieur VA9812357665355478.gz

ALYac : JS:Trojan.JS.Downloader.IQ
AVG : JS/Downloader.Agent
Ad-Aware : JS:Trojan.JS.Downloader.IQ
Arcabit : JS:Trojan.JS.Downloader.IQ
Avast : JS:Downloader-CZW [Trj]
Avira (no cloud) : JS/Dldr.Locky.98765
BitDefender : JS:Trojan.JS.Downloader.IQ
CAT-QuickHeal : JS.Locky.P
Cyren : JS/Locky.AC
DrWeb : JS.DownLoader.1397
ESET-NOD32 : JS/TrojanDownloader.Nemucod.WU
F-Prot : JS/Locky.AC
F-Secure : JS:Trojan.JS.Downloader.IQ
Fortinet : JS/Nemucod.WU!tr.dldr
GData : JS:Trojan.JS.Downloader.IQ
Ikarus : Trojan-Ransom.Script.Locky
Kaspersky : Trojan-Downloader.JS.Agent.kee
McAfee : JS/Nemucod.is
McAfee-GW-Edition : JS/Nemucod.is
eScan : JS:Trojan.JS.Downloader.IQ
Microsoft : TrojanDownloader:JS/Nemucod.EK
Rising : Downloader.Ransomware!8.625A-SOAAbihlG7H (Cloud)
Sophos : JS/Dldr-MD

Email analysis :

NOTE : lg46@valoritech.fr
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
NOTE : Received : from cmodem.201.140.226-163.wirenet.com.ar (unknown [201.140.226.163])

Thursday, December 3, 2015

Rép : bill (Virus)

This bill just came through and it has your name on it.
What is this about?

bill.doc

File analysis :

OPEN : bill.doc
RESULT : bill.doc is a virus.

Virus analysis :

ALYac : Trojan.Msword.NTC
AVG : Zbot.AKEI
AVware : Trojan.Win32.Generic!BT
Ad-Aware : Trojan.Msword.NTC
AhnLab-V3 : W97M/Dropper
Antiy-AVL : Trojan[PSW]/Win32.Fareit
Arcabit : HEUR(high).VBA.Trojan
Avast : Win32:Dropper-gen [Drp]
Avira : TR/Crypt.ZPACK.217559
BitDefender : Trojan.Msword.NTC
CAT-QuickHeal : W97M.Dropper.OF
Cyren : W97M/Dropper.D.gen
DrWeb : Trojan.PWS.Stealer.4118
ESET-NOD32 : VBA/TrojanDropper.Agent.EG
Emsisoft : Trojan.Msword.NTC (B)
F-Prot : W97M/Dropper.D.gen
F-Secure : Trojan.Msword.NTC
Fortinet : WM/Agent!tr
GData : Trojan.Msword.NTC
Ikarus : Trojan.Win32.PSW
Kaspersky : Trojan-PSW.Win32.Fareit.bium
McAfee : W97M/Dropper!E6CB6F898524
McAfee-GW-Edition : W97M/Dropper!E6CB6F898524
MicroWorld-eScan : Trojan.Msword.NTC
Microsoft : TrojanDropper:O97M/Farheyt
NANO-Antivirus : Trojan.Script.MulDrop.dyxcgh
Panda : O97M/Downloader
Sophos : Troj/Vawtrak-CO
Symantec : W97M.Downloader
Tencent : Win32.Trojan-qqpass.Qqrob.Amch
TrendMicro : W2KM_FAREIT.IBI
TrendMicro-HouseCall : W2KM_FAREIT.IBI
VIPRE : Trojan.Win32.Generic!BT
nProtect : Trojan-Downloader/W97M.Iron

Email analysis :

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.4.0
NOTE : X-Remote : 108.178.222.238 ()


NOTE : Mime-Version : 1.0
NOTE : Received : from localhost (HELO queue) (127.0.0.1)
NOTE : Rép : bill

Monday, November 9, 2015

Vos documents scannés

Bonjour, merci de ne pas repondre ceci a été scanné depuis un multifonctions

SCAN03316445.doc

File analysis :

OPEN : SCAN03316445.doc
CHECK : SCAN03316445.doc is a virus
NOTE : McAfee / W97M/Downloader.aqh

Email analysis :

NOTE : DupuisRafael22@pc-113-129.strong-pc.com
NOTE : X-Ovh-Remote : 91.90.113.129 (pc-113-129.strong-pc.com)
NOTE : X-Av-Checked : clean on av10
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Received : from localhost (HELO queue) (127.0.0.1) by localhost
NOTE : Received : from pc-113-129.strong-pc.com (91.90.113.129)
NOTE : [SPAM] Vos documents scannés

Tuesday, October 27, 2015

Openings? (Virus)

Hi there.

I saw your business today Sat, 24 Oct 2015 and found it very likeable.
I was praying there was any possibility of employment, just to prove my competence.

As you will see in my resume, I am very qualified and have a very sweeping experience in this field of work. I am confident it will be worth your time reviewing it, and I am even more positive you will find me very suitable in your corporation.

Please see my CV.

I'm very much looking forward to hearing from you.

Thanks,

Theda Deisch

My_Resume_64004.doc

My_Resume_64004.doc analysis :

My_Resume_64004.doc is a virus.

Virus analysis :

AVware LooksLike.Macro.Malware.h (v)
AhnLab-V3 : DOC/Downloader
Arcabit : HEUR.VBA.Trojan
CAT-QuickHeal : O97M.Dropper.LQ
Fortinet : WM/Agent!tr
Ikarus : Trojan-Downloader.VBA.Agent
Sophos : Troj/DocDl-AFA
Symantec : W97M.Downloader
TrendMicro : TROJ_FRS.0NA004JP15
TrendMicro-HouseCall : TROJ_FRS.0NA004JP15
VIPRE : LooksLike.Macro.Malware.h (v)

Email analysis :

NOTE : thedaobmhf@rambler.ru
NOTE : Mime-Version : 1.0
NOTE : 81.19.67.206


NOTE : X-Rambler-User : thedaobmhf@rambler.ru/117.253.216.19


NOTE : X-Mailer : Rambler WebMail, http://mail.rambler.ru/
NOTE : Received : from [117.253.216.19] by mail.rambler.ru
NOTE : Openings?

Monday, August 31, 2015

Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the September 02 for your case hearing. You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

Note: The case may be heard by the judge in your absence if you do not come.

The copy of Court Notice is attached to this email.

Regards,
Gary Noble,
Court Secretary.

000475484.zip

File analysis :

OPEN : 000475484.zip
RESULT : File is a virus.

Virus analysis :

SHA256 : 0c8d2b8cba6611097793124c3dac9e9313207ba8857b41330ca021c89f52c82f
ALYac : JS:Trojan.JS.Downloader.AN
AVG : JS/Downloader.Agent
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.JS.Downloader.AN
Arcabit : JS:Trojan.JS.Downloader.AN
Avast : JS:Agent-DOB [Trj]
BitDefender : JS:Trojan.JS.Downloader.AN
CAT-QuickHeal : JS.Downloader.Z
Comodo : Heur.Dual.Extensions
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AV
Emsisoft : JS:Trojan.JS.Downloader.AN (B)
F-Secure : JS:Trojan.JS.Downloader.AN
Fortinet : JS/Agent.CPL!tr
GData : JS:Trojan.JS.Downloader.AN
Kaspersky : Trojan-Downloader.JS.Agent.hhe
McAfee : JS/Nemucod.c
McAfee-GW-Edition : JS/Nemucod.c
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus : Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : JS/DwnLdr-MON
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.JS.Downloader.AN

Email analysis :

NOTE : Notice to Appear
NOTE : gary.noble@wayneshostingworld.co.uk
NOTE : Received : from doggroom by server.wayneshostingworld.co.uk with local (Exim 4.85)
NOTE : Received : from server.wayneshostingworld.co.uk (wayneshostingworld.co.uk. [78.129.234.106])
NOTE : X-Php-Script : doggroomingparlour.co.uk/post.php for 77.111.207.70

Invoice Jeff Herman


invoice53444271 Jeff Herman.zip

File analysis :

OPEN : invoice53444271 Jeff Herman.zip
RESULT : File is a virus.

Virus analysis :

SHA256: 9c6ce032c5b4f521b0ace607a50a499812ecb9845741862a0f7f9183a87c7c49

ALYac : Trojan.Agent.BMBU
AVG : FakeAlert
AVware : Trojan.Win32.Generic!BT
Ad-Aware : Trojan.Agent.BMBU
Agnitum : Trojan.DL.Dofoil!MdY5QMP4IPM
Arcabit : Trojan.Agent.BMBU
Avast : Win32:Trojan-gen
Baidu-International : Trojan.Win32.Dofoil.bstr
BitDefender : Trojan.Agent.BMBU
CAT-QuickHeal : TrojanDownloader.Upatre.r4
Cyren : W32/Trojan3.RIE
ESET-NOD32 : a variant of Win32/Kryptik.DUYG
Emsisoft : Trojan.Agent.BMBU (B)
F-Prot : W32/Trojan3.RIE
F-Secure : Trojan.Agent.BMBU
Fortinet : W32/Kryptik.DUMX!tr
GData : Trojan.Agent.BMBU
Ikarus : Trojan-Downloader.Win32.Upatre
Jiangmin : TrojanDownloader.Dofoil.bhq
K7AntiVirus : Trojan ( 004cddfe1 )
K7GW : Trojan ( 004cddfe1 )
Kaspersky : Trojan-Downloader.Win32.Dofoil.bstr
Malwarebytes : Spyware.Dyre
McAfee : Upatre-FACE!67B2464F5D77
McAfee-GW-Edition : Upatre-FACE!67B2464F5D77
MicroWorld-eScan : Trojan.Agent.BMBU
Microsoft : TrojanDownloader:Win32/Upatre
NANO-Antivirus : Trojan.Win32.Dyre.dvrjgu
Panda : Trj/CI.A
Qihoo-360 : HEUR/QVM19.1.Malware.Gen
Sophos : Troj/Upatre-LD
TrendMicro : TROJ_UP.10D6D122
TrendMicro-HouseCall : TROJ_UP.10D6D122
VBA32 : Heur.Trojan.Hlux
VIPRE : Trojan.Win32.Generic!BT
ViRobot : Trojan.Win32.Upatre.43520.A[h]
Zillya : 'Downloader.UpatreGen.Win32.68
nProtect : Trojan.Agent.BMBU

Email analysis :

NOTE : bespalov@stati.orene.ru
NOTE : Received : by stati.orene.ru (Postfix, from userid 5001)
NOTE : 94.79.7.6 ()

Thursday, August 27, 2015

Indebtedness for driving on toll road #000948265 (Virus)

Notice to Appear,

You have not paid for driving on a toll road.
You are kindly asked to pay your debt as soon as possible.

The copy of the invoice is attached to this email.

Sincerely,
Thomas Gorman,
E-ZPass Agent.

E-ZPass_Invoice_000948265.zip

File analysis :

OPEN FILE : E-ZPass_Invoice_000948265.zip
RESULT : FILE IS A VIRUS

Virus analysis :

SHA256 : 5ec5b13bbf1d2a2179168acfaec53da59afa6b8ca480930e1b56d996b51dd140
ALYac : JS:Trojan.JS.Downloader.AN
AVG : JS/Downloader.Agent
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.JS.Downloader.AN
Arcabit : JS:Trojan.JS.Downloader.AN
Avast : JS:Agent-DOB [Trj]
BitDefender : JS:Trojan.JS.Downloader.AN
CAT-QuickHeal : JS.Downloader.Z
Comodo : Heur.Dual.Extensions
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AS
Emsisoft : JS:Trojan.JS.Downloader.AN (B)
F-Secure : JS:Trojan.JS.Downloader.AN
Fortinet : JS/Agent.CPL!tr
GData : JS:Trojan.JS.Downloader.AN
Kaspersky : Trojan.JS.Agent.cpl
McAfee : JS/Nemucod.c
McAfee-GW-Edition : JS/Nemucod.c
MicroWorld-eScan : JS:Trojan.JS.Downloader.AN
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus : Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : JS/DwnLdr-MON
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.JS.Downloader.AN

Email analysis :

NOTE : thomas.gorman@jerusalem.hostyou.com.br
NOTE : client-ip=104.238.195.142;
NOTE : Sender Address Domain - jerusalem.hostyou.com.br
NOTE : X-Source-Args : /usr/bin/php /home/centova/public_html/coisaseria.com.br/post.php
NOTE : < centova@jerusalem.hostyou.com.br >
NOTE : Mime-Version : 1.0
NOTE : X-Source-Dir : centova.com:/public_html/coisaseria.com.br
NOTE : X-Priority : 3
NOTE : X-Get-Message-Sender-Via : jerusalem.hostyou.com.br:
NOTE : authenticated_id: centova/primary_hostname/system user
NOTE : X-Source : /usr/bin/php
NOTE : Received : by 10.202.17.82 with SMTP
NOTE : Received : from centova by jerusalem.hostyou.com.br
NOTE : Indebtedness for driving on toll road #000948265

Friday, July 17, 2015

Temos uma mensagem para voce - Alfa

Boleto de Cobrança Referente ao pedido: 00197742

Caro(a) cliente

Informo que a duplicata com vencimento em 05/07 no valor de R$2.554,07 não foi paga.
Faça o download da 2ª via da duplicata atualizada para pagamento.

Download boleto atualizado

Aguardamos o pagamento do boleto. O não pagamento do acordo nos prazos estabelecidos
acarretara multa e juros de mora de 0,5% (meio por cento) ao dia.

Atenciosamente.
Aldo A. Silva
Setor Financeiro.
Alfa finaceira Ltda
CNPJ: 61.198.164/0001-60

ref: 933170

[Time_long]

Virus analysis

CLICK : Download boleto atualizado
OPEN : http://bit.ly/1e0X1SA
DOWNLOAD FILE : Documento_N_908301238HAK38-31.zip
SHA256 : 50fb97d11dc2dfd85ebf2242aa8919829ac955906094f1868d13dadabda45ffe
Avast : Win32:Malware-gen
Baidu-International : Trojan.Win32.Downloader.aa
DrWeb : Trojan.MulDrop5.63051
Kaspersky : HEUR:Trojan-Downloader.Win32.Generic
Sophos : Mal/BredoZp-B

Email analysis :

NOTE : melissa.santana@trifil.com.br
NOTE : Received : from vps2477.vpsunit.com (83.125.87.89)
NOTE : 83.125.87.89 (vps2477.vpsunit.com)