Tuesday, July 3, 2018

Refer to this following Invoice#******* (Dropbox Phishing)


View the Document i attached to you via Dropbox. Sent on 21/02/2018.

View document

Kind Regards.
Cindy Whitfield
Rich Rags
Designer Wearable Art
My cell Phone number is 530-520-5540

Email analysis :

NOTE : dirkschulzegronover@t-online.de

Phishing analysis :

CLICK : View document
OPEN : http://huzaifamarble.com/redirect/ch.html
REDIRECT : http://www.bashtv.com.au//telekomlomel/drp/page.php?id=*
NOTE : http://www.bashtv.com.au//telekomlomel/drp/page.php

Tuesday, September 12, 2017

Please verify your email address *

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : Received : from customer-PUE-207-103.megared.net.mx (unknown [])

NOTE : verify@dropbox.com
LINK : http://floraisdobrasil.com.br/dropbox.html

NOTE : Received : from (unknown [])

NOTE : verify@dropbox.com
LINK : http://basedow-bilder.de/dropbox.html

Phishing analysis :

CLICK : Verify your email
OPEN : http://floraisdobrasil.com.br/dropbox.html

CLICK : Verify your email
OPEN : http://basedow-bilder.de/dropbox.html

REDIRECT : http://wittinhohemmo.net/drop.php

OPEN : http://wittinhohemmo.net/drop.php
RESULT : Dropbox-MSGCODE-*.js is a virus

Virus analysis :

Arcabit HEUR.JS.Trojan.ba
Avira HTML/ExpKit.Gen2
Baidu JS.Trojan-Downloader.Nemucod.yo
Cyren JS/Agent.AAO1!Eldorado
F-Prot JS/Agent.AAO1!Eldorado
Qihoo-360 virus.js.qexvmc.1075
Rising Malware.Undefined!8.C (cloud:CVrV9ZfawJI)
Symantec JS.Downloader.D
TrendMicro Possible_Cerber-JS03b1
TrendMicro-HouseCall Possible_Cerber-JS03b1
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

Conclusion :

Virus stored for analysis...

Saturday, September 2, 2017

Please verify your email address (Dropbox Phishing Attempt)

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : Received : from [] (unknown [])

NOTE : Received : from ip-161-245.vnt.net.id (unknown [])

NOTE : Received : from unitel.com.la (unknown [])

Phishing analyis :

CLICK : Verify your email
OPEN : http://jaysonmorrison.com/dropbox.html

CLICK : click here
OPEN : http://dippydado.net/json.php
RESULT : website broken...
OPEN : Another dropbox phishing with the same content
CLICK : Verify your email
OPEN : http://dar-alataa.com/dropbox.html

CLICK : click here
RESULT : same result...
OPEN : Another Dropbox phishing with the same content
CLICK : Verify your email
OPEN : http://potamitis.gr/dropbox.html

CLICK : click here
RESULT : same result...

Monday, December 19, 2016

Your account will be blocked!!! (Dropbox Phishing)

Dear User,

Your Mail Storage Limit has exceeded you might not be able to send or receive new messages; Click or Copy the link below onto your browser to verify your email and increase storage limit.


Note: Failure to heed strictly to this notification will lead to Email Account deletion thereby causing lost of files.

Thank you for using our mail system

Mail Administrator

Email analysis :

NOTE : hr@mail.com
NOTE : Received : from User (unknown [])
NOTE : (Authenticated sender: admin) by mail.vps.com (Postfix)

Phishing analysis :

CLICK : http://www.powerline.or.kr/zboard/data/dpbx/index.php
OPEN : http://www.powerline.or.kr/zboard/data/dpbx/index.php

RESULT : Dropbox phishing
CLICK : Other Emails

CLICK : Submit
REDIRECT : https://www.dropbox.com/

Sunday, July 3, 2016

Tyler Butler sent you "Scanned Documents.zip"

Tyler Butler a file with you on Dropbox

The updated agreement with BDO

Scanned Documents.zip


© 2016 Dropbox

Screenshot of the email :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : americanexpress@welcome.aexp.com

NOTE : Received : from static.vnpt.vn (unknown [])

File analysis :

CLICK : Download


DOWNLOAD : Scanned Documents.zip
RESULT : Scanned Documents.zip is a virus.

Virus analysis :

FILENAME : Scanned Documents.zip
SHA256 : 27d79850e1bae0d14a689e1d019ef6217d805189b04e486e3d54ed8a363d3689

Ad-Aware : Trojan.GenericKD.3363605
AegisLab : Troj.Generickd!c
Arcabit : Trojan.Generic.D335315
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3363605
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AGS
Emsisoft : Trojan.GenericKD.3363605 (B)
F-Secure : Trojan.GenericKD.3363605
Fortinet : JS/Nemucod.1509!tr
GData : Trojan.GenericKD.3363605
Ikarus : Trojan.Script
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.la
McAfee-GW-Edition : JS/Nemucod.la
eScan : Trojan.GenericKD.3363605
Microsoft : TrojanDownloader:JS/Nemucod.EW
Sophos : Troj/JSDldr-PH

Extraction of the zip : 3 files extracted.
Result : Scan001.js, Scan002.js, Scan003.js

File Scan001.js
File Scan002.js
File Scan003.js

Friday, June 17, 2016

Secure Message From Eric


Hello, I tried to upload and send earlier but got an error message, So i had to send it using Dropbox because it is safe and secure to share important document/files.

View|Download files


© 2016 Drop Box

Avast logo
This email has been checked for viruses by Avast antivirus software.

File analysis :

CLICK : View|Download files
OPEN : http://goo.gl/OgPeo3
REDIRECT : http://timeinformatica.com.br/down.js/
RESULT : Unresponsive...

Email analysis :

NOTE : info@g-dss.com
NOTE : iluvtoteach56@aol.com
NOTE : Received : from LOBO (unknown [])

NOTE : Colocore Gmbh
NOTE : client-ip=;

Wednesday, June 15, 2016

DocuSign Document (Dropbox Phishing)

You have a new file shared with you via Dropbox secure file transfer

Click here to view

Dropbox Pro also comes with
powerful sharing and security features:
scan.28373.pdfPièce jointe.png

Sign in to access shared file

If you prefer not to receive Dropbox newsletters, please go here.
Dropbox, Inc., PO Box 77767, San Francisco, CA 94107 © 2016 Dropbox

Email screenshot :

Email analysis :

NOTE : Temitjcob@mrapesinol.com
NOTE : X-Organization : ykyrhqaxljfo129498
NOTE : staymoola09@maymostfavour.com
NOTE : X-Originating-Ip : []

Phishing analysis :

CLICK : Click here to view
OPEN : http://bit.do/b69KJ
RESULT : Phishing was removed...

Sunday, June 12, 2016

Samantha Gann sent you "Scan001.zip"

Samantha Gann a file with you on Dropbox

The updated agreement with AlixPartners



© 2016 Dropbox

Email screenshot :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : Received : from unknown (HELO NNZCABJO) (

NOTE : Samantha Gann sent you "Scan001.zip"

File analysis :

OPEN : https://www.cubbyusercontent.com/pl/Scan001.zip/_6ec59f8ef081469e9dba0d304a99cb9d
FILENAME : Scan001.zip
RESULT : File is a virus.

Virus analysis :

SHA256: e68dfb45eb15d675073486679ac94cac1788ea5c54a3e39cb9cddddaf73a179e
FILENAME : Scan001.zip
AVG : Downloader.Generic_c.ALTL
Ad-Aware : Trojan.GenericKD.3298975
AegisLab : Exploit.Script.Generic!c
Arcabit : Trojan.Generic.D32569F
Avast : Other:Malware-gen [Trj]
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3298975
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.ADU
Emsisoft : Trojan.GenericKD.3298975 (B)
F-Secure : Trojan.GenericKD.3298975
Fortinet : JS/Nemucod.ET!tr.dldr
GData : Trojan.GenericKD.3298975
Ikarus : JS.Trojan-Downloader.Rogue
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Exploit.Script.Generic
McAfee : Generic.yd
McAfee-GW-Edition : Generic.yd
eScan : Trojan.GenericKD.3298975
Microsoft : TrojanDownloader:JS/Nemucod.AT
Rising : Exploit.Generic!8.3E1-aXLPd6nZxPO (Cloud)
TrendMicro-HouseCall : JS_NEMUCOD.QDA

Sunday, May 15, 2016

Download your pending document via Dropbox 13-53-09 (Dropbox Phishing)

Hello *@*

You have a pending incoming document shared with you via Dropbox

Dropbox makes it easy to create, store and share online documents, spreadsheets and presentations.

lClick here to view shared docs.

- The Dropbox Team
© 2016 Dropbox

Phishing analysis :

CLICK : lClick here to view shared docs.
OPEN : http://bit.ly/1Y7zmlo
REDIRECT http://www.wmh11.conticom.pl/media/mailto/load_content.php
ADRESS BAR : Change to base64 (data:text/html;charset=utf-8;base64)

FORM (HTML) : http://homedecoration.pw/mickyrosay/finish.php
CLICK : Sign In

CLICK : Validate
REDIRECT : https://www.dropbox.com/business?_camp=email_basic&oref=e&_tk=email&_ad=39078

Email analysis :

NOTE : dm3@customerserviceprovider.onmicrosoft.com
NOTE : antcear960@gmail.com
NOTE : X-Organization : yksvextavevak21954
NOTE : X-Author : yksvextavevak21955
NOTE : X-Originating-Ip : []

Wednesday, April 27, 2016

You Have (1) New Document - Shared Via Dropbox


Phishing analysis :

OPEN : http://www.pet-house.com.gr/wp-agretj/red/
RESULT : page unresponsive...

Email analysis :

NOTE : ahsinger@wesleyan.edu
NOTE : client-ip=2607:f8b0:4001:c06::243;
NOTE : Account : ashinger

Saturday, April 2, 2016

Please Confirm (Dropbox Phishing)

Please confirm

Attached PO and TT copy, check on dropbox. Our agent will contact you soon for Carton design.

UhlSport Gmbh


Phishing analysis :

CLICK : http://www.diabeez.in/cgisys/dropboxx/downloadPO-D1956-1.htm?

REDIRECT : https://www.dropbox.com/s/paic7kvmg1lqnsg/PO%201026240.pdf?dl=0

Email analysis :

NOTE : mldminn@outlook.com
NOTE : as permitted sender
NOTE : X-Ms-Exchange-Crosstenant-Originalarrivaltime : 01 Apr 2016 08:47:01.9167 (UTC)
NOTE : X-Originatororg : outlook.com
NOTE : X-Ms-Exchange-Transport-Crosstenantheadersstamped : VE1EUR01HT230
NOTE : X-Forefront-Antispam-Report : CIP:;IPV:NLI;CTRY:GB;EFV:NLI;SFV:NSPM;SFS:(10019020)
NOTE : Authentication-Results : spf=softfail (sender IP is
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : Internet
NOTE : Accept-Language : en-US
NOTE : Content-Language : en-US
NOTE : Mime-Version : 1.0
NOTE : Please Confirm

Notes from Scam.cz :

  • servers were used to relay this phishing.
  • = UK Ministry of Defence
  • https://www.gov.uk/government/organisations/ministry-of-defence
  • Inside the UK ministry of defence, there is a station relaying dropbox phishing.

Sunday, January 17, 2016

You have a dropbox message (Dropbox phishing)

Greetings from Dropbox Team!

You have a new document shared with you via dropbox
Click to open: Secure Message

Happy Dropboxing!
- The Dropbox Team

P.S. To get even more space, invite your friends or upgrade your Dropbox.
© 2016 Dropbox

Phishing analysis :

CLICK : Secure Message
OPEN : http://siliconleaf.com/js/drop/TT/Dropbox.html

NOTE : Phishing was removed.

Email analysis :NOTE :

NOTE : Mime-Version : 1.0
NOTE : lizann50@suddenlink.net designates as permitted sender)
NOTE : smtp.mailfrom=lizann50@suddenlink.net
NOTE : Return-Path : < lizann50@suddenlink.net >
NOTE : Received : from dalofep02.suddenlink.net (txofep02.suddenlink.net. [])
NOTE : Received : from [] (really [])

NOTE : by dalofep02.suddenlink.net (InterMail vM.
NOTE : client-ip=;

NOTE : You have a dropbox message

siliconleaf.com whois :

Registry Domain ID: 1735949442_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-07-26T15:27:00Z
Creation Date: 2012-07-27T06:08:40Z
Registrar Registration Expiration Date: 2016-07-27T06:08:40Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Registrant Name: Rushabh Parikh
Registrant Organization: Silikonleaf
Registrant Street: 402, Chandanvan-1, Majuragate
Registrant City: Surat
Registrant State/Province: Gujarat
Registrant Postal Code: 395002
Registrant Country: IN
Registrant Phone: +91-902-445-6484
Registrant Email: russ1990@gmail.com
Admin Name: Rushabh Parikh
Admin Organization: Silikonleaf
Admin Street: 402, Chandanvan-1, Majuragate
Admin City: Surat
Admin State/Province: Gujarat
Admin Postal Code: 395002
Admin Country: IN
Admin Phone: +91-902-445-6484
Admin Email: russ1990@gmail.com
Tech Name: Rushabh Parikh
Tech Organization: Silikonleaf
Tech Street: 402, Chandanvan-1, Majuragate
Tech City: Surat
Tech State/Province: Gujarat
Tech Postal Code: 395002
Tech Country: IN
Tech Phone: +91-902-445-6484
Tech Email: russ1990@gmail.com
Name Server: DNS.SITE5.COM
Name Server: DNS2.SITE5.COM
DNSSEC: unsigned

Tuesday, June 9, 2015

Frank has sent you a document (Dropbox Phishing)

Frank has shared a document (JuneApproval.doc) with you.

View Document Now

Thank you!
- The Drop box Team
c 2015 Drop box

Email analysis :

NOTE : frank.mail.dropbox@dropboxwiki.com

Phishing analysis :

NOTE : CLICK View Document Now
NOTE : CLICK http://valiti.net/img/secure/dropbox/login/

NOTE : REDIRECT : https://www.dropbox.com/

valiti.net whois :

Domain Name: VALITI.NET Registry Domain ID: 1843539257_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.retailstudio.com Registrar URL: http://www.netissime.com Updated Date: 2015-01-22T17:11:40Z Creation Date: 2014-01-20T12:55:03Z Registrar Registration Expiration Date: 2017-01-20T12:55:03Z Registrar: ELB Group, Inc. Registrar IANA ID: 820 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Trejo Barrio Manuel Registrant Organization: N/A Registrant Street: Rekalde, 30 bajo Registrant City: Soraluze Registrant State/Province: not applicable Registrant Postal Code: 20590 Registrant Country: ES Registrant Phone: +34.340000000 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: limpiezastrejo@limpiezastrejo.com Registry Admin ID: Admin Name: Trejo Barrio Manuel Admin Organization: N/A Admin Street: Rekalde, 30 bajo Admin City: Soraluze Admin State/Province: not applicable Admin Postal Code: 20590 Admin Country: ES Admin Phone: +34.340000000 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: limpiezastrejo@limpiezastrejo.com Registry Tech ID: Tech Name: Trejo Barrio Manuel Tech Organization: N/A Tech Street: Rekalde, 30 bajo Tech City: Soraluze Tech State/Province: not applicable Tech Postal Code: 20590 Tech Country: ES Tech Phone: +34.340000000 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: limpiezastrejo@limpiezastrejo.com Name Server: ns2.comalis.net Name Server: vps10037-cloud.comalis.net DNSSEC:Unsigned Registrar Abuse Contact Email: abuse@netissime.com Registrar Abuse Contact Phone: +33.0974763926 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>>Last update of WHOIS database: 2015-06-09T09:13:56+0000Z For more information on Whois status codes, please visit https://icann.org/epp Registration Service Provided By: COMALIS The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is", and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The Registrar of record is ELB Group, Inc.. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms.

Thursday, May 29, 2014

INCOMING FAX REPORT : Remote ID: 785-889-5336


Date/Time: Thu, 29 May 2014 17:35:43 +0800
Speed: 4889bps
Connection time: 01:06
Pages: 3
Resolution: Normal
Remote ID: 621-206-7574
Line number: 1
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file: